Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,446 questions
Regarding Microsoft Graph security alert_v2 API pagination
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 82%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENG%3C/text%3E%3C/svg%3E)
Nitin Gupta
0
Reputation points
We are using the Microsoft Graph security alert_v2 API for audit logs response, it is mentioned in the document[https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http] to use __@odata.nextLink __for pagination.
but we are not getting this pagination link[[__@odata.nextLink __]] in alert_v2 response body and response header.
Please let us know where we will get this link[__@odata.nextLink __] or any other way/field which can be used for pagination.
Request
https://graph.microsoft.com/v1.0/security/alerts_v2?$top=1
Response;-
{
"@odata.context": https://graph.microsoft.com/v1.0/$metadata#security/alerts_v2,
"value": [
{
"id": "dab674980f-e329-47da-a1d4-0bc24d08f522_1",
"providerAlertId": "b674980f-e329-47da-a1d4-0bc24d08f522_1",
"incidentId": "1",
"status": "new",
"severity": "medium",
"classification": "informationalExpectedActivity",
"determination": "securityTesting",
"serviceSource": "microsoftDefenderForEndpoint",
"detectionSource": "microsoftDefenderForEndpoint",
"productName": "Microsoft Defender for Endpoint",
"detectorId": "7f1c3609-a3ff-40e2-995b-c01770161d68",
"tenantId": "c19fb0c9-a0e8-42bd-8974-0c4e7d7e8ae1",
"title": "Suspicious PowerShell command line",
"description": "A suspicious PowerShell activity was observed on the machine. \nThis behavior may indicate that PowerShell was used during installation, exploration, or in some cases in lateral movement activities which are used by attackers to invoke modules, download external payloads, or get more information about the system. Attackers usually use PowerShell to bypass security protection mechanisms by executing their payload in memory without touching the disk and leaving any trace.",
"recommendedActions": "1. Examine the PowerShell command line to understand what commands were executed. Note: the content may need to be decoded if it is Base64-encoded.\n2. Search the script for more indicators to investigate - for example IP addresses (potential C&C servers), target computers etc.\n3. Explore the timeline of this and other related machines for additional suspect activities around the time of the alert.\n4. Look for the process that invoked this PowerShell run and their origin. Consider submitting any suspect files in the chain for deep analysis for detailed behavior information.",
"category": "Execution",
"assignedTo": [NitinGupta@psl2611.onmicrosoft.com],
"alertWebUrl": https://security.microsoft.com/alerts/dab674980f-e329-47da-a1d4-0bc24d08f522_1?tid=c19fb0c9-a0e8-42bd-8974-0c4e7d7e8ae1,
"incidentWebUrl": https://security.microsoft.com/incidents/1?tid=c19fb0c9-a0e8-42bd-8974-0c4e7d7e8ae1,
"actorDisplayName": null,
"threatDisplayName": null,
"threatFamilyName": null,
"mitreTechniques": [
"T1059.001"
],
"createdDateTime": "2024-02-20T06:39:41.86Z",
"lastUpdateDateTime": "2024-02-22T06:22:33.8666667Z",
"resolvedDateTime": null,
"firstActivityDateTime": "2024-02-20T06:38:24.9872702Z",
"lastActivityDateTime": "2024-02-20T06:38:27.167343Z",
"systemTags": [],
"alertPolicyId": null,
"additionalData": null,
"comments": [],
"evidence": [
{
"@odata.type": "#microsoft.graph.security.deviceEvidence",
"createdDateTime": "2024-02-20T06:39:41.96Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [
"PrimaryDevice"
],
"tags": [],
"firstSeenDateTime": "2024-02-20T06:25:28.862052Z",
"mdeDeviceId": "5abaa40b71d0c98aa797954e62026e138d5fe061",
"azureAdDeviceId": null,
"deviceDnsName": "desktop-t7lro26",
"osPlatform": "Windows11",
"osBuild": 22621,
"version": "22H2",
"healthStatus": "active",
"riskScore": "medium",
"rbacGroupId": 0,
"rbacGroupName": null,
"onboardingStatus": "onboarded",
"defenderAvStatus": "notSupported",
"ipInterfaces": [
"192.168.0.153",
"fd01::a0cc:36f6:177e:2caa",
"fd01::11b6:ef4f:2369:9997",
"fe80::3868:e243:3bac:67f0",
"127.0.0.1",
"::1"
],
"vmMetadata": null,
"loggedOnUsers": []
},
{
"@odata.type": "#microsoft.graph.security.userEvidence",
"createdDateTime": "2024-02-20T06:39:41.96Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"userAccount": {
"accountName": "Nitin",
"domainName": "DESKTOP-T7LRO26",
"userSid": "S-1-5-21-3954583150-1821681604-3782018842-1001",
"azureAdUserId": null,
"userPrincipalName": null,
"displayName": null
}
},
{
"@odata.type": "#microsoft.graph.security.urlEvidence",
"createdDateTime": "2024-02-20T06:39:41.96Z",
"verdict": "suspicious",
"remediationStatus": "none",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"url": [http://127.0.0.1/1.exe]
},
{
"@odata.type": "#microsoft.graph.security.ipEvidence",
"createdDateTime": "2024-02-20T06:39:41.96Z",
"verdict": "suspicious",
"remediationStatus": "none",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"ipAddress": "127.0.0.1",
"countryLetterCode": null
},
{
"@odata.type": "#microsoft.graph.security.processEvidence",
"createdDateTime": "2024-02-20T06:39:41.96Z",
"verdict": "unknown",
"remediationStatus": "none",
"remediationStatusDetails": null,
"roles": [],
"detailedRoles": [],
"tags": [],
"processId": 9504,
"parentProcessId": 13680,
"processCommandLine": "powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'",
"processCreationDateTime": "2024-02-20T06:38:24.7865651Z",
"parentProcessCreationDateTime": "2024-02-20T06:38:21.0420499Z",
"detectionStatus": "detected",
"mdeDeviceId": "5abaa40b71d0c98aa797954e62026e138d5fe061",
"imageFile": {
"sha1": "4018d2a1c31763c6a047aae5ad63a3306a732252",
"sha256": "d436e66c0d092508e4b85290815ab375695fa9013c7423a3a27fed4f1acf90bd",
"fileName": "powershell.exe",
"filePath": "C:\Windows\System32\WindowsPowerShell\v1.0",
"fileSize": 491520,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
},
"parentProcessImageFile": {
"sha1": null,
"sha256": null,
"fileName": "cmd.exe",
"filePath": "C:\Windows\System32",
"fileSize": 323584,
"filePublisher": "Microsoft Corporation",
"signer": null,
"issuer": null
},
"userAccount": {
"accountName": "Nitin",
"domainName": "DESKTOP-T7LRO26",
"userSid": "S-1-5-21-3954583150-1821681604-3782018842-1001",
"azureAdUserId": null,
"userPrincipalName": null,
"displayName": null
}
}
]
}
]
}