How to get the impacted asset (user or client) when fetching alerts (v2) from Defender using API?

Rawad BASSIL 0 Reputation points
2024-05-30T13:30:38.1333333+00:00

Hello,
I followed this documentation to list alerts from Defender https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-beta&tabs=http

While I am getting the output, it is very different from when I fetch the alerts manually from the portal (different column names, lots of extra columns ...) more importantly, there's not clear indicator of who / what is the impacted asset (device, user, app...).
I sometimes find this detail in the evidence column (not always) but the value in the column is usually a list of dictionaries which is quite a hassle to work with.
I need to have this granularity as I am querying on multiple tenants so it is not sustainable to keep extracting the data from the portal. Another portal limitation is that I cannot choose a specific range of createdDateTimestamp
so sometimes I'm forced to export over 6 months and then manually choose the range...

Thanks for any help!!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,124 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,240 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
169 questions
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
117 questions
0 comments No comments
{count} votes