Share via

How can i get forensic data (match count, purview DLP policy name, rule matched, etc) for alerts

Russel Fernandes 0 Reputation points
2024-07-19T10:30:28.5366667+00:00

https://learn.microsoft.com/en-us/graph/api/security-alert-get?view=graph-rest-1.0&tabs=http

How can we get forensic data related to the incidents or alerts with graph API ?

the response does not include purview DLP related data like Policy name, number of matches against the policy, action status (blocked, quarantined, allowed).

For example, i have a purview policy that looks for a keyword in Exchange Online. it then creates the related alerts and thier incident. When i call
GET https://graph.microsoft.com/v1.0/security/incidents?$expand=alerts

the response does not have this option.

The Q&A assist solution returns could not find a property named 'incidentStates' on microsoft.graph.alerts

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2024-07-19T10:30:28.54+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To get forensic data related to incidents or alerts with Graph API, you can use the security/alerts endpoint and include the $expand query parameter to include additional information about the alert. The response will include the policy name, rule matched, and action status. Here's an example request:

    GET https://graph.microsoft.com/v1.0/security/alerts?$expand=incidentStates($expand=additionalData)

    The additionalData property in the incidentStates object will contain the forensic data you're looking for. Note that this endpoint will only return alerts that have not been resolved. To get resolved alerts, you can use the security/alerts?$filter=status eq 'resolved' endpoint.

    References:

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.