Forum Discussion
Solved
https://graph.microsoft.com/beta/security/alerts Not returning any data: value: []
We've tested the /security/alerts api from 2 different tenants. In both tenants we have Azure AD Identity Protection and Azure Security Center Alerts. We can see those alerts from their respective bl...
- Issue was successfully resolved
Michael Shalev Have similar issue when calling https://graph.microsoft.com/v1.0/security/alerts via python. The properties returned do not reflect what is in the documentation. I.e : Category (per docs) = category String Category of the alert (for example, credentialTheft, ransomware, etc.).
I'm getting a GUID for category. Other properties like incidentIds are blank...
"id": "redacted",
"azureTenantId": "redacted",
"azureSubscriptionId": "redacted",
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "e573729c-f65f-46cc-b31b-f5ad7c32ff59_aa5de612-30f2-4e66-8a7f-da99b946ce54",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2020-10-18T18:54:41.9442907Z",
"description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
"detectionIds": [],
"eventDateTime": "2020-10-04T18:49:39.9931844Z",
"feedback": null,
"incidentIds": [],
"lastModifiedDateTime": "2020-10-18T18:54:42.0552251Z",
"recommendedActions": [],
"severity": "low",
"sourceMaterials": [],
"status": "newAlert",
"title": "Suspicious Resource deployment",
Any thoughts?
Hello,
I also see that incidents collected via API in my test environment are missing values for incidentIds. I'm also curious why there's no field carrying URL link to incident which is present in UI. That would make life easier for SOC analyst investigating this. Any ideas?
Best regards,
Jmarci