I can run legacy alert API (/v1.0/security/alerts) successfully and can get result. But when I run new alert API(/v1.0/security/alerts_v2), it returns null.

sysint 0 Reputation points
2023-07-28T18:18:49.63+00:00

Firstly, I have configured required permissions for the application.

Secondly, I try both legacy alert API(/v1.0/security/alerts) and new alert API(/v1.0/security/alerts_v2), and I can get result from legacy alert API, but new alert API returns NULL.

Thirdly, my license is E3. When I use a tenant with E5 license, both APIs can returned data.

My question is why new alert API(/v1.0/security/alerts_v2) cannot return data with E5 license?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,284 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Cuepper, Jan 5 Reputation points
    2023-08-18T08:13:07.0966667+00:00

    I can confirm, that the v2 API only works if a defender license is assigned. Furthermore you have to at least once login into the security center and open the alerts menu (https://security.microsoft.com/alerts). You may see the following:
    User's image

    After a couple of minutes you can view the alerts in the security admin center and the v2 graph endpoint will work as well.

    I do not understand why we have to use different endpoint depending on the license. If you have to monitor alerts for a lot of customer tenants with different licenses things like these are very frustrating to deal with, because its not clearly documented anywhere.

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.