For some odd reason the results that I am getting from the Graph Security API the past two days are inaccurate and I can't for the life of me figure out why.
If I query https://graph.microsoft.com/v1.0/security/alerts I am returned 7 old alerts without any obvious relationship, rhyme, or reason for populating my results. These are not the 7 most recent, and we have had more than 7 alerts.
For example, when attempting to append $filter=vendorInformation/provider eq 'Microsoft Defender ATP' I receive:
{
"value": []
}
This issue appears to extend for me across all of the MTP services.
I can see the alerts within MDATP, and others like MCAS and ASC for example when navigating directly to those portals or querying their platform specific api's, like
I am getting data returned, it is just not the right data.
I am utilizing a Postman App registration with the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All "Granted for MYDOMAIN".
I feel like I am missing something here. Any one else having issues? More than happy to share additional details that would be useful.
UPDATE 04/01/2020 - I run the exact same queries and am receiving the correct results after letting things sit over night. This leads me to believe that there was something service health related.
Any tips on running things like that down in the future?
