Forum Discussion

crodriguez1's avatar
crodriguez1
Brass Contributor
May 09, 2018
Solved

https://graph.microsoft.com/beta/security/alerts Not returning any data: value: []

We've tested the /security/alerts api from 2 different tenants. In both tenants we have Azure AD Identity Protection and Azure Security Center Alerts. We can see those alerts from their respective bl...
  • Michael Shalev's avatar
    Michael Shalev
    May 14, 2018
    Issue was successfully resolved
Michael Shalev's avatar
Michael Shalev
Former Employee
May 09, 2018
Certainly, we'll be happy to assist. I suggest sending me the Azure tenant ID/s over a private message so we can investigate your not getting any results to your queries. Michael
Michael Shalev's avatar
Michael Shalev
Former Employee
May 14, 2018
Issue was successfully resolved
  • Tariq Gharra's avatar
    Tariq Gharra
    Copper Contributor
    May 22, 2018

    Hi , 
    Can you please elaborate the steps taken to solve the issue. 

    since I'm facing the same issue, but I have Advanced Threat Protection as security provider . 
    I have already defined a security alerts policy and a threat management policy. 


    Thanks, 
    Tariq 

    Michael Shalev wrote:
    Issue was successfully resolved


     

    • Michael Shalev's avatar
      Michael Shalev
      Former Employee
      Jul 13, 2018

      Alerts from Windows Defender ATP are currently in Private Preview - will update when you can test this.

      If you enabled WDATP in Azure Security Center, you should see these alerts included in the ASC alerts.

      Michael

      • txmowery's avatar
        txmowery
        Copper Contributor
        Oct 19, 2020

        Michael Shalev Have similar issue when calling https://graph.microsoft.com/v1.0/security/alerts via python.  The properties returned do not reflect what is in the documentation. I.e : Category (per docs) = category String Category of the alert (for example, credentialTheft, ransomware, etc.).

         

        I'm getting a GUID for category. Other properties like incidentIds are blank...

         

         

              "id": "redacted",
      "azureTenantId": "redacted",
      "azureSubscriptionId": "redacted",
      "riskScore": null,
      "tags": [],
      "activityGroupName": null,
      "assignedTo": null,
      "category": "e573729c-f65f-46cc-b31b-f5ad7c32ff59_aa5de612-30f2-4e66-8a7f-da99b946ce54",
      "closedDateTime": null,
      "comments": [],
      "confidence": null,
      "createdDateTime": "2020-10-18T18:54:41.9442907Z",
      "description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
      "detectionIds": [],
      "eventDateTime": "2020-10-04T18:49:39.9931844Z",
      "feedback": null,
      "incidentIds": [],
      "lastModifiedDateTime": "2020-10-18T18:54:42.0552251Z",
      "recommendedActions": [],
      "severity": "low",
      "sourceMaterials": [],
      "status": "newAlert",
      "title": "Suspicious Resource deployment",

         

         

        Any thoughts?

         

         

Resources