Forum Discussion
https://graph.microsoft.com/beta/security/alerts Not returning any data: value: []
- Issue was successfully resolved
Alerts from Windows Defender ATP are currently in Private Preview - will update when you can test this.
If you enabled WDATP in Azure Security Center, you should see these alerts included in the ASC alerts.
Michael
Michael Shalev Have similar issue when calling https://graph.microsoft.com/v1.0/security/alerts via python. The properties returned do not reflect what is in the documentation. I.e : Category (per docs) = category String Category of the alert (for example, credentialTheft, ransomware, etc.).
I'm getting a GUID for category. Other properties like incidentIds are blank...
"id": "redacted",
"azureTenantId": "redacted",
"azureSubscriptionId": "redacted",
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "e573729c-f65f-46cc-b31b-f5ad7c32ff59_aa5de612-30f2-4e66-8a7f-da99b946ce54",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2020-10-18T18:54:41.9442907Z",
"description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
"detectionIds": [],
"eventDateTime": "2020-10-04T18:49:39.9931844Z",
"feedback": null,
"incidentIds": [],
"lastModifiedDateTime": "2020-10-18T18:54:42.0552251Z",
"recommendedActions": [],
"severity": "low",
"sourceMaterials": [],
"status": "newAlert",
"title": "Suspicious Resource deployment",
Any thoughts?
Hello,
I also see that incidents collected via API in my test environment are missing values for incidentIds. I'm also curious why there's no field carrying URL link to incident which is present in UI. That would make life easier for SOC analyst investigating this. Any ideas?
Best regards,
Jmarci
