Forum Discussion
Update ISG alerts
MicrosoftHi Jeroen,
Sorry to hear about the problems you are running into. It seems you are trying to find the alert status and update that. This is available via the status property in the alert schema – details with enum values (newAlert, in Progress, resolved, etc.) are documented @ https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/alert . You can get different status values and we plan to enable update / PATCH scenario this Fall.
We do not recommend using tags for status update of alerts. Moreover, tags are an array hence the filter query syntax "$filter=tag" needs to be corrected to cater to ODATA support for filtering array types.
Thanks, for sharing the error message you are seeing (upon executing the HTTP request) – The error message expected here is a 400 / bad request for unsupported behavior. We are fixing this error message to return a 400 and this should be there in the next day or so.
Thanks, for your feedback.
Preeti
Hi Preeti,
Thanks for your answer. As far as I understand, the "status" property is not a writable property; and even if it was a writable property, I rather prefer to have it updated by the source system (e.g. Security Center, ATP etc.)
I am currently looking for a mechanism to do a "diff" of the alerts that are in my system, and the alerts that the Intelligent Security Graph is providing us. I want to import the alerts that are not in my system, but are in the ISG. Applying a tag once an alert has been imported gives me the possibility to filter on new alerts that not have been imported yet.
I hope this will give you more context why I would use tags.
Thanks,
Jeroen
