analyzedEmail: remediate

Namespace: microsoft.graph.security

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Remove a potential threat from end users' mailboxes.

Remediation means to take prescribed action against a threat. This API can trigger email purge actions like move to junk, move to deleted items, soft delete, hard delete, or move to Inbox. This API enables scenarios and use cases such as SOAR integration, playbooks, and automations. For more information read email remediation, trigger action and track actions. If there is false positives admins can take move to inbox action.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) Not supported. Not supported.
Delegated (personal Microsoft account) Not supported. Not supported.
Application SecurityAnalyzedMessage.ReadWrite.All Not available.

HTTP request

POST /security/collaboration/analyzedEmails/remediate

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, supply a JSON representation of the parameters.

The following table lists the parameters that are required when you call this action.

Parameter Type Description
displayName String The name of the remediation that is used as a reference in the action center.
description String The description of the remediation.
severity microsoft.graph.security.remediationSeverity The severity of the remediation. The possible values are: low, medium, high, unknownFutureValue.
action microsoft.graph.security.remediationAction The types of move and delete actions that are supported. The possible values are: moveToJunk, moveToInbox, hardDelete, softDelete, moveToDeletedItems, unknownFutureValue.
remediateSendersCopy Boolean For internal or outbound email, indicates whether to remediate the sender's copy of an email.
analyzedEmails microsoft.graph.security.analyzedEmail collection Contains the networkMessageId and recipientEmailAddress values of the analyzed emails.

Response

If successful, this action returns a 202 Accepted response code and a Location header with a link to the tracking information.

Note: The response to the action can be tracked in https://security.microsoft.com/action-center/history. To learn more, see Use the Action center.

Examples

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/security/collaboration/analyzedEmails/remediate
Content-Type: application/json

{
    "displayName": "Clean up Phish email",
    "description": "Delete email",
    "severity": "medium",
    "action": "softDelete",
    "remediateSendersCopy": "false",
    "analyzedEmails": [
      {
        "networkMessageId": "73ca4154-58d8-43d0-a890-08dc18c52e6d",
        "recipientEmailAddress": "[email protected]"
      },
      {
        "networkMessageId": "73ca4154-58d8-43d0-a890-08dc18c52e6d",
        "recipientEmailAddress": "[email protected]"
      }
    ]
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 202 Accepted
Location: https://security.microsoft.com/action-center/history?filters={"bulkId":["{bulkId}"]}&tid={tid}
Content-Type: application/json;text/plain
Content-Length: 0