Graph API Security: get related activities for a DLP report

Question

Hi!

I'm trying to fetch related activity data for a security alert of category data loss prevention.

For example:

• I do a GET request on https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource in ('microsoftDataLossPrevention')&$orderby=createdDateTime desc
• I receive a response with several alerts, including evidence etc. which is good.
• When I go to Purview (compliance.microsoft.com), go to alerts, and find the alerts, the same evidence, etc. Also good.
• HOWEVER, in Purview, the alert contains an activity list, which tells me exactly what the user did. (see attached screenshots). I cannot seem to find this anywhere on the graph API. Can you give me a pointer on how to get to this information? The Alerts don't seem to contain anything at all about related activity (there's "only" evidence, which contains user, device, file, etc. but not what the user tried to do). In this Example, I'm specifically interested in getting the "WebPageCopiedToClipboard" information.

Answer 1

Hey,

On the alerts page can you customise the columns to show the alert ID, you can then add the alert ID to the URI, for example:

https://graph.microsoft.com/beta/security/alerts_v2/{alert-id}  

Please can you advise on the results?

Answer 2

Hi,

In my experience, Microsoft 365 Defender advance hunting API function - CloudAppEvents can show the user activities.
Graph API advance hunting should be the same.

Hope it helps you.

Ref:

• https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table?view=o365-worldwide
• https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http