Edit

List alerts

  • Article

Namespace: microsoft.graph

Retrieve a list of alert objects.

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) SecurityEvents.Read.All, SecurityEvents.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application SecurityEvents.Read.All, SecurityEvents.ReadWrite.All

HTTP request

GET /security/alerts
GET /security/alerts?$top=1
GET /security/alerts?$filter={property} eq '{property-value}'
GET /security/alerts?$filter={property} eq '{property-value}'&$top=5
GET /security/alerts?$filter={property} eq '{property-value}' and {property} eq '{property-value}'

Optional query parameters

This method supports the following OData query parameters to help customize the response:

  • $count
  • $orderby
  • $select
  • $skip
  • $top - Returns the aggregated top results from each security API provider.
  • $filter

The following table lists the $filter keywords by each vendor name. Even though some of these products have been rebranded, the API is yet to be updated. Filter keywords will continue to use the legacy names until further notice. See the changelog for updates.

Vendor name $filter keyword
Microsoft Defender for Identity Azure Advanced Threat Protection
Azure Security Center ASC
Microsoft Defender for Cloud Apps MCAS
Azure Active Directory Identity Protection IPC
Azure Sentinel Azure Sentinel
Microsoft Defender for Endpoint Microsoft Defender ATP
Office 365 Not currently supported.

Note: Some providers might not support $filter keywords.

To return an alternative property set, use the OData $select query parameter to specify the set of alert properties that you want For example, to return the assignedTo, category, and severity properties, add the following to your query: $select=assignedTo,category,severity.

Note: The $top OData query parameter has a limit of 1000 alerts. We recommend that you include only $top and not $skip in your first GET query. You can use @odata.nextLink for pagination. If you need to use $skip, it has a limit of 500 alerts. For example, /security/alerts?$top=10&$skip=500 will return a 200 OK response code, but /security/alerts?$top=10&$skip=501 will return a 400 Bad Request response code. For more information, see Microsoft Graph Security API error responses.

Request headers

Name Description
Authorization Bearer {code}. Required.

Request body

Do not supply a request body for this method. The request body will be ignored.

Response

If successful, this method returns a 200 OK response code and collection of alert objects in the response body. If a status code other than 2xx or 404 is returned from a provider or if a provider times out, the response will be a 206 Partial Content status code with the provider's response in a warning header. For more information, see Microsoft Graph Security API error responses.

Example

Request

The following is an example of the request.

GET https://graph.microsoft.com/v1.0/security/alerts

Response

The following is an example of the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-type: application/json

{
  "value": [
    {
      "activityGroupName": "activityGroupName-value",
      "assignedTo": "assignedTo-value",
      "azureSubscriptionId": "azureSubscriptionId-value",
      "azureTenantId": "azureTenantId-value",
      "category": "category-value",
      "closedDateTime": "datetime-value"
    }
  ]
}