Cannot view Sentinel alert for some incidents but the alert can be found in Defender for Endpoint portal using Graph

Spyros Ermogenous 0

I have enabled automatic incident creation for Defender for Endpoint in Sentinel but when I try to view some alerts associated with the created incidents, nothing is displayed. Despite this, I can locate the relevant alert in the Security (Defender for Endpoint) portal through Graph API, even though it has a different AlertID.

How can I establish a connection between these two alerts?

Clive Watson 5,716 Reputation points MVP

2024-03-12T12:40:44.72+00:00

Hi, are you saying that when you click the link in Sentinel to take you to Defender XDR it only works for some or all?
The Incident numbers are different from Defender XDR and Microsoft Sentinel but when raised from XDR --> Sentinel the Sentinel Incident has the hyperlink back to the correct Alert number in Defender XDR (or should).
Are you using the "Microsoft Defender XDR" connector, as the legacy one doesnt bring all alerts across?
Spyros Ermogenous 0 Reputation points

2024-03-12T12:55:32.3733333+00:00

Hi,

I am using the XDR Connector. The main problem is not how to hop using the UI from a Sentinel Incident to the relevant alert in Defender. This can be done using the below:

I want to know how to correlate the alert in Sentinel with the Alert in Defender with the use of Security Graph API.
Clive Watson 5,716 Reputation points MVP

2024-03-15T12:24:32.9766667+00:00

You can follow the AlertwebURL or IncidentwebURL value
https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http