Microsoft Security | Microsoft Graph
An API that connects multiple Microsoft services, enabling data access and automation across platforms
How to retrieve detailed Microsoft DLP incident data via API?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 32%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Jozko Mrkvicka
0
Reputation points
Hi everyone,
I’m currently trying to retrieve detailed information about Microsoft Data Loss Prevention (DLP) incidents via API and I’m running into some limitations.
The incidents are clearly visible in the Microsoft Defender portal (e.g., DLP policy matches for Teams conversations), but they are not returned by the Defender for Endpoint API (api.security.microsoft.com). That makes sense, since these incidents originate from Microsoft Data Loss Prevention rather than MDE.
So I switched to Microsoft Graph API and started using:
GET https://graph.microsoft.com/v1.0/security/incidents
This does return the incidents, but the response is very minimal — only high-level metadata (ID, severity, status, etc.). I’m not seeing detailed DLP-specific information such as:
- Matched policy details
- Exact rule triggered
- Content match information
- Location/context (e.g., Teams message specifics)
- Evidence data
In the Defender UI, all this detail is visible, but I can’t seem to retrieve it through Graph.
Has anyone successfully extracted full DLP incident details via API?
Any guidance or real-world experience would be greatly appreciated.
Thanks!
Microsoft Security | Microsoft Graph
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 99%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
John Doe 85 Reputation points2026-02-13T08:46:08.8966667+00:00 However, the reality here is that the Microsoft native APIs are designed for higher-level alerting purposes, and they are simply not designed for forensics. When you're facing a brick wall in which the API is giving you a 'shell' of the incident but you're missing the content themselves, the reason for this issue is the fact that the evidence is located in a different compliance silo. Unfortunately, when native recover or data extraction processes have this type of ceiling, various DIY type tools are used to attempt to bridge this gap. These tools are built to recover or extract exactly what was 'lost' from the original source, even if this isn't necessarily made available through the API. It is much faster than attempting to write complex programming scripts for everything.
Sign in to comment
Sign in to answer