Microsoft Graph Security API error responses

Namespace: microsoft.graph

Errors in the Microsoft Graph Security API are returned using the standard HTTP 206 Partial Content status code and are delivered via a warning header.

Errors

The Microsoft Graph Security API is a federated service that receives multiple responses from all data providers. When an HTTP error is received by the Microsoft Graph Security API, it will send back a warning header in the following format:

{Vendor}/{Provider}/{StatusCode}/{LatencyInMs}

This warning header is only sent back to clients when one of the data providers returns an error code other than 2xx or 404. For example:

  • HttpStatusCode.Forbidden (403) might be returned if the access to the resource is not granted.
  • If a provider times out, HttpStatusCode.GatewayTimeout (504) is returned in the warning header.
  • If an internal provider error happens, HttpStatusCode.InternalServerError (500) is used in the warning header.

If a data provider returns 2xx or 404, it’s not shown in the warning header because these codes are expected for success or when data is not found respectively. In a federated system, a 404 not found is expected as many times the data is only known to one or several, but not all, providers.

Example

A user asks for security/alerts/{alert_id}.

Provider 1: 404 (provider does not have a record of this alert ID)
Provider 2: 504 (provider timed out)
Provider 3: 200 (success)
Provider 4: 403 (customer has not licensed this provider)

Because both 404 and 200 are expected conditions, the warning header contains the following:

Warning : 199 - "{Vendor2}/{Provider 2}/504/10000",    (usual timeout limit is set at 10 seconds)
          199 - "{Vendor4}/{Provider 4}/403/10"       (Provider 4 rejected the request in 10 ms)

Note: Each HTTP header is a collection of subitems, so users can enumerate the Warning header and check all items.

Threat indicator bulk action errors

Bulk actions (create, update, delete) can generate two different potential error codes:

  • A 400 error code indicates that the body provided had an error during serialization.
  • A 206 error code indicates that one or more of the bulk actions failed when it was federated out to its provider. The response will contain success/error data from the individual providers for each threat intelligence indicator. Unlike alerts, all potential error information will be contained within the body of the response for tiIndicator bulk actions.

Constraints

The $top OData query parameter has a limit of 1000 alerts. We recommend that you include only $top and not $skip in your first GET query. You can use @odata.nextLink for pagination. If you need to use $skip, it has a limit of 500 alerts. For example, /security/alerts?$top=10&$skip=500 will return a 200 OK response code, but /security/alerts?$top=10&$skip=501 will return a 400 Bad Request response code. For more information, see Microsoft Graph Security API error responses.

A workaround for this limit is to use the $filter OData query parameter with the eventDateTime of the alert entity from the Microsoft Graph Security API, using ?$filter=eventDateTime gt {YYYY-MM-DDT00:00:00.000Z} and replacing the dateTime value with the last (1500th) alert. You can also set a range for the eventDateTime; for example, alerts?$filter=eventDateTime **gt** 2018-11-**11**T00:00:00.000Z&eventDateTime **lt** 2018-11-**12**T00:00:00.000Z.

If you’re having trouble with authorization, see Authorization and the Microsoft Graph Security API.