Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
How to get the impacted asset (user or client) when fetching alerts (v2) from Defender using API?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 81%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Rawad BASSIL
5
Reputation points
Hello,
I followed this documentation to list alerts from Defender https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-beta&tabs=http
While I am getting the output, it is very different from when I fetch the alerts manually from the portal (different column names, lots of extra columns ...) more importantly, there's not clear indicator of who / what is the impacted asset (device, user, app...).
I sometimes find this detail in the evidence column (not always) but the value in the column is usually a list of dictionaries which is quite a hassle to work with.
I need to have this granularity as I am querying on multiple tenants so it is not sustainable to keep extracting the data from the portal. Another portal limitation is that I cannot choose a specific range of createdDateTimestamp
so sometimes I'm forced to export over 6 months and then manually choose the range...
Thanks for any help!!
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
Microsoft Security | Microsoft Defender | Microsoft Defender for Identity
Microsoft Security | Microsoft Defender | Microsoft Defender for Identity
A security solution that detects identity-based threats and suspicious activities in on-premises Active Directory environments
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud Apps
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud Apps
A tool that provides visibility, control, and threat protection for cloud-based applications and services
Microsoft Security | Microsoft Graph
Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
{count} vote
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 17%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
K-Mohammed 240 Reputation points Microsoft Employee2024-07-02T12:10:09.07+00:00 Hi Rawad,
Unfortunately, there isn’t a direct way to get all the details in a single query. However, you can use OData queries to filter and select specific columns. For example, you can use $select to specify the columns you need and $filter to narrow down the results based on your criteria.
The evidence column often contains details about the impacted assets. You can parse this column to extract relevant information. Here’s an example of a Graph query:
Sign in to comment
Sign in to answer