Forum Discussion

crodriguez1's avatar
crodriguez1
Brass Contributor
May 09, 2018
Solved

https://graph.microsoft.com/beta/security/alerts Not returning any data: value: []

We've tested the /security/alerts api from 2 different tenants. In both tenants we have Azure AD Identity Protection and Azure Security Center Alerts. We can see those alerts from their respective bl...
  • Michael Shalev's avatar
    Michael Shalev
    May 14, 2018
    Issue was successfully resolved
Michael Shalev's avatar
Michael Shalev
Former Employee
May 14, 2018
Issue was successfully resolved
Tariq Gharra's avatar
Tariq Gharra
Copper Contributor
May 22, 2018

Hi , 
Can you please elaborate the steps taken to solve the issue. 

since I'm facing the same issue, but I have Advanced Threat Protection as security provider . 
I have already defined a security alerts policy and a threat management policy. 


Thanks, 
Tariq 

Michael Shalev wrote:
Issue was successfully resolved


 

  • Michael Shalev's avatar
    Michael Shalev
    Former Employee
    Jul 13, 2018

    Alerts from Windows Defender ATP are currently in Private Preview - will update when you can test this.

    If you enabled WDATP in Azure Security Center, you should see these alerts included in the ASC alerts.

    Michael

    • txmowery's avatar
      txmowery
      Copper Contributor
      Oct 19, 2020

      Michael Shalev Have similar issue when calling https://graph.microsoft.com/v1.0/security/alerts via python.  The properties returned do not reflect what is in the documentation. I.e : Category (per docs) = category String Category of the alert (for example, credentialTheft, ransomware, etc.).

       

      I'm getting a GUID for category. Other properties like incidentIds are blank...

       

       

            "id": "redacted",
      "azureTenantId": "redacted",
      "azureSubscriptionId": "redacted",
      "riskScore": null,
      "tags": [],
      "activityGroupName": null,
      "assignedTo": null,
      "category": "e573729c-f65f-46cc-b31b-f5ad7c32ff59_aa5de612-30f2-4e66-8a7f-da99b946ce54",
      "closedDateTime": null,
      "comments": [],
      "confidence": null,
      "createdDateTime": "2020-10-18T18:54:41.9442907Z",
      "description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
      "detectionIds": [],
      "eventDateTime": "2020-10-04T18:49:39.9931844Z",
      "feedback": null,
      "incidentIds": [],
      "lastModifiedDateTime": "2020-10-18T18:54:42.0552251Z",
      "recommendedActions": [],
      "severity": "low",
      "sourceMaterials": [],
      "status": "newAlert",
      "title": "Suspicious Resource deployment",

       

       

      Any thoughts?

       

       

      • Jmarci666's avatar
        Jmarci666
        Copper Contributor
        Feb 25, 2021

        Michael Shalev 

        Hello,

        I also see that incidents collected via API in my test environment are missing values for incidentIds. I'm also curious why there's no field carrying URL link to incident which is present in UI. That would make life easier for SOC analyst investigating this. Any ideas?

        Best regards,

        Jmarci

Resources