Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,226 questions
How to get the impacted asset (user or client) when fetching alerts (v2) from Defender using API?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 81%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Rawad BASSIL
0
Reputation points
Hello,
I followed this documentation to list alerts from Defender https://video2.skills-academy.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-beta&tabs=http
While I am getting the output, it is very different from when I fetch the alerts manually from the portal (different column names, lots of extra columns ...) more importantly, there's not clear indicator of who / what is the impacted asset (device, user, app...).
I sometimes find this detail in the evidence column (not always) but the value in the column is usually a list of dictionaries which is quite a hassle to work with.
I need to have this granularity as I am querying on multiple tenants so it is not sustainable to keep extracting the data from the portal. Another portal limitation is that I cannot choose a specific range of createdDateTimestamp
so sometimes I'm forced to export over 6 months and then manually choose the range...
Thanks for any help!!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 17%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
K-Mohammed 75 Reputation points Microsoft Employee2024-07-02T12:10:09.07+00:00 Hi Rawad,
Unfortunately, there isn’t a direct way to get all the details in a single query. However, you can use OData queries to filter and select specific columns. For example, you can use $select to specify the columns you need and $filter to narrow down the results based on your criteria.
The evidence column often contains details about the impacted assets. You can parse this column to extract relevant information. Here’s an example of a Graph query:
Sign in to comment