How to get the impacted asset (user or client) when fetching alerts (v2) from Defender using API?
Hello,
I followed this documentation to list alerts from Defender https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-beta&tabs=http
While I am getting the output, it is very different from when I fetch the alerts manually from the portal (different column names, lots of extra columns ...) more importantly, there's not clear indicator of who / what is the impacted asset (device, user, app...).
I sometimes find this detail in the evidence column (not always) but the value in the column is usually a list of dictionaries which is quite a hassle to work with.
I need to have this granularity as I am querying on multiple tenants so it is not sustainable to keep extracting the data from the portal. Another portal limitation is that I cannot choose a specific range of createdDateTimestamp
so sometimes I'm forced to export over 6 months and then manually choose the range...
Thanks for any help!!