Microsoft Graph - Understanding who is affected by the phish alert

%3CLINGO-SUB%20id%3D%22lingo-sub-1498338%22%20slang%3D%22en-US%22%3EMicrosoft%20Graph%20-%20Understanding%20who%20is%20affected%20by%20the%20phish%20alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1498338%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20all%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20gathering%20some%20data%20using%20Microsoft%20Graph%2C%20taken%20from%20the%20security%20alerts%20(%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%3C%2FA%3E).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20looking%20at%20the%20alerts%20that%20state%20%22Email%20messages%20containing%20phish%20URLs%20removed%20after%20delivery%22.%20If%20I%20look%20at%20these%20messages%20through%20the%20O365%20portal%20(%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW256584477%20BCX4%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW256584477%20BCX4%22%3E%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2Fviewalerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2Fviewalerts%3C%2FA%3E)%20and%20open%20an%20alert%2C%20I%20can%20see%20the%20following%20under%20details%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22ng-binding%22%3E%3CSTRONG%3EBy%20the%20time%20this%20alert%20was%20triggered%2C%20the%20following%201%20user%20received%20Phish%20and%20Malicious%20mail%20matching%20the%20conditions%20of%20your%20alert%20policy%3A%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22paddingRight10%20ng-scope%22%3E%3CSTRONG%3E%3CSPAN%20class%3D%22ng-binding%22%3E%3CA%20href%3D%22mailto%3Auser%40company.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Euser%40company.com%3C%2FA%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FDIV%3E%3CDIV%20class%3D%22paddingRight10%20ng-scope%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22paddingRight10%20ng-scope%22%3E%3CSPAN%20class%3D%22ng-binding%22%3EI%20was%20wondering%20how%20to%20get%20this%20bit%20of%20data%20using%20Graph%20(or%20some%20other%20method).%20Anyone%20have%20any%20ideas%3F%20The%20Graph%20response%20doesn't%20appear%20to%20show%20any%20data%20regarding%20who%20is%20affected.%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1498338%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGraph%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hello all,

 

I am currently gathering some data using Microsoft Graph, taken from the security alerts (https://graph.microsoft.com/v1.0/security/alerts).

 

I am looking at the alerts that state "Email messages containing phish URLs removed after delivery". If I look at these messages through the O365 portal (https://protection.office.com/viewalerts) and open an alert, I can see the following under details:

 

By the time this alert was triggered, the following 1 user received Phish and Malicious mail matching the conditions of your alert policy:
 
I was wondering how to get this bit of data using Graph (or some other method). Anyone have any ideas? The Graph response doesn't appear to show any data regarding who is affected.
0 Replies