May 09 2018 06:24 AM
We've tested the /security/alerts api from 2 different tenants. In both tenants we have Azure AD Identity Protection and Azure Security Center Alerts. We can see those alerts from their respective blades in Azure Portal.
But https://graph.microsoft.com/beta/security/alerts returns
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/alerts",
"value": []
}
We're properly authenticated with proper permisions. We've tried it from the graph explorer and from both c# samples (desktop and asp.net)
Can you give us a hand?
May 09 2018 03:04 PM
May 14 2018 11:06 AM
SolutionMay 22 2018 01:16 PM
Hi ,
Can you please elaborate the steps taken to solve the issue.
since I'm facing the same issue, but I have Advanced Threat Protection as security provider .
I have already defined a security alerts policy and a threat management policy.
Thanks,
Tariq
@Michael Shalev wrote:
Issue was successfully resolved
Jul 13 2018 09:17 AM
Alerts from Windows Defender ATP are currently in Private Preview - will update when you can test this.
If you enabled WDATP in Azure Security Center, you should see these alerts included in the ASC alerts.
Michael
Feb 12 2019 09:42 PM
I have the same issue but with https://graph.microsoft.com/v0.1/security/alerts. We always get empty alerts since 2019/01/08 for one tenant, before that it was working. Would you please help on that?
Oct 19 2020 08:03 AM - edited Oct 19 2020 08:03 AM
@Michael Shalev Have similar issue when calling https://graph.microsoft.com/v1.0/security/alerts via python. The properties returned do not reflect what is in the documentation. I.e : Category (per docs) = category String Category of the alert (for example, credentialTheft, ransomware, etc.).
I'm getting a GUID for category. Other properties like incidentIds are blank...
"id": "redacted",
"azureTenantId": "redacted",
"azureSubscriptionId": "redacted",
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "e573729c-f65f-46cc-b31b-f5ad7c32ff59_aa5de612-30f2-4e66-8a7f-da99b946ce54",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2020-10-18T18:54:41.9442907Z",
"description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
"detectionIds": [],
"eventDateTime": "2020-10-04T18:49:39.9931844Z",
"feedback": null,
"incidentIds": [],
"lastModifiedDateTime": "2020-10-18T18:54:42.0552251Z",
"recommendedActions": [],
"severity": "low",
"sourceMaterials": [],
"status": "newAlert",
"title": "Suspicious Resource deployment",
Any thoughts?
Feb 25 2021 06:12 AM
Hello,
I also see that incidents collected via API in my test environment are missing values for incidentIds. I'm also curious why there's no field carrying URL link to incident which is present in UI. That would make life easier for SOC analyst investigating this. Any ideas?
Best regards,
Jmarci
May 14 2018 11:06 AM
Solution