SOLVED Not returning any data: value: []

Brass Contributor

We've tested the /security/alerts api from 2 different tenants. In both tenants we have Azure AD Identity Protection and Azure Security Center Alerts. We can see those alerts from their respective blades in Azure Portal.


But returns 


"@odata.context": "$metadata#Security/alerts",
"value": []


We're properly authenticated with proper permisions. We've tried it from the graph explorer and from both c# samples (desktop and


Can you give us a hand?

7 Replies
Certainly, we'll be happy to assist. I suggest sending me the Azure tenant ID/s over a private message so we can investigate your not getting any results to your queries. Michael
best response confirmed by Christian Rodríguez Giménez (Brass Contributor)
Issue was successfully resolved

Hi , 
Can you please elaborate the steps taken to solve the issue. 

since I'm facing the same issue, but I have Advanced Threat Protection as security provider . 
I have already defined a security alerts policy and a threat management policy. 


@Michael Shalev wrote:
Issue was successfully resolved


Alerts from Windows Defender ATP are currently in Private Preview - will update when you can test this.

If you enabled WDATP in Azure Security Center, you should see these alerts included in the ASC alerts.


I have the same issue but with We always get empty alerts since 2019/01/08 for one tenant, before that it was working. Would you please help on that? 

@Michael Shalev Have similar issue when calling via python.  The properties returned do not reflect what is in the documentation. I.e : Category (per docs) = category String Category of the alert (for example, credentialTheft, ransomware, etc.).


I'm getting a GUID for category. Other properties like incidentIds are blank...



      "id": "redacted",
      "azureTenantId": "redacted",
      "azureSubscriptionId": "redacted",
      "riskScore": null,
      "tags": [],
      "activityGroupName": null,
      "assignedTo": null,
      "category": "e573729c-f65f-46cc-b31b-f5ad7c32ff59_aa5de612-30f2-4e66-8a7f-da99b946ce54",
      "closedDateTime": null,
      "comments": [],
      "confidence": null,
      "createdDateTime": "2020-10-18T18:54:41.9442907Z",
      "description": "Identifies when a rare Resource and ResourceGroup deployment occurs by a previously unseen Caller.",
      "detectionIds": [],
      "eventDateTime": "2020-10-04T18:49:39.9931844Z",
      "feedback": null,
      "incidentIds": [],
      "lastModifiedDateTime": "2020-10-18T18:54:42.0552251Z",
      "recommendedActions": [],
      "severity": "low",
      "sourceMaterials": [],
      "status": "newAlert",
      "title": "Suspicious Resource deployment",



Any thoughts?



@Michael Shalev 


I also see that incidents collected via API in my test environment are missing values for incidentIds. I'm also curious why there's no field carrying URL link to incident which is present in UI. That would make life easier for SOC analyst investigating this. Any ideas?

Best regards,


1 best response

Accepted Solutions
best response confirmed by Christian Rodríguez Giménez (Brass Contributor)