Forum Discussion
https://graph.microsoft.com/beta/security/alerts Not returning any data: value: []
- May 14, 2018Issue was successfully resolved
Hi ,
Can you please elaborate the steps taken to solve the issue.
since I'm facing the same issue, but I have Advanced Threat Protection as security provider .
I have already defined a security alerts policy and a threat management policy.
Thanks,
Tariq
Michael Shalev wrote:
Issue was successfully resolved
- Michael ShalevJul 13, 2018Former Employee
Alerts from Windows Defender ATP are currently in Private Preview - will update when you can test this.
If you enabled WDATP in Azure Security Center, you should see these alerts included in the ASC alerts.
Michael
- txmoweryOct 19, 2020Copper Contributor
Michael Shalev Have similar issue when calling https://graph.microsoft.com/v1.0/security/alerts via python. The properties returned do not reflect what is in the documentation. I.e : Category (per docs) = category String Category of the alert (for example, credentialTheft, ransomware, etc.).
I'm getting a GUID for category. Other properties like incidentIds are blank...
"id": "redacted", "azureTenantId": "redacted", "azureSubscriptionId": "redacted", "riskScore": null, "tags": [], "activityGroupName": null, "assignedTo": null, "category": "e573729c-f65f-46cc-b31b-f5ad7c32ff59_aa5de612-30f2-4e66-8a7f-da99b946ce54", "closedDateTime": null, "comments": [], "confidence": null, "createdDateTime": "2020-10-18T18:54:41.9442907Z", "description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.", "detectionIds": [], "eventDateTime": "2020-10-04T18:49:39.9931844Z", "feedback": null, "incidentIds": [], "lastModifiedDateTime": "2020-10-18T18:54:42.0552251Z", "recommendedActions": [], "severity": "low", "sourceMaterials": [], "status": "newAlert", "title": "Suspicious Resource deployment",
Any thoughts?
- Jmarci666Feb 25, 2021Copper Contributor
Hello,
I also see that incidents collected via API in my test environment are missing values for incidentIds. I'm also curious why there's no field carrying URL link to incident which is present in UI. That would make life easier for SOC analyst investigating this. Any ideas?
Best regards,
Jmarci