2

The new Microsoft Graph Security API should return data from different security providers, for now, Azure AD Identity Protection and Azure Security Center.

But https://graph.microsoft.com/beta/security/alerts is not returning any data (value: []).

We've tested the /security/alerts API from 2 different tenants. In both tenants, we have Azure AD Identity Protection and Azure Security Center Alerts. We can see those alerts from their respective blades in Azure Portal but /beta/security/alerts returns:

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/alerts",
  "value": []
}

We're authenticated with proper permissions. We've tried it from the Graph Explorer and from both c# samples (desktop and asp.net)

Any ideas?

Marc LaFleur
  • 31,987
  • 4
  • 37
  • 63
Christian Rodriguez
  • 944
  • 1
  • 9
  • 20

2 Answers2

0

Graph Explorer will not work at present for the Security API unless you don't login. In that case you will get the demo data. If you do login you should see 'unauthorized' (not and empty set). Graph Explorer currently does not ask for the permissions needed to access the Security API.

That aside, if you are using your own code as you indicated, you should be seeing any alerts you see in the portal, as long as they are newer than 30 days old. The Security API will only return alerts up to 30 days old for these two products right now.

So, if you have alerts newer than 30 days, and still are getting an empty set returned, then there may be an issue we'd like to look into. Please reply with your Directory ID. This GUID can be found looking in the Azure Portal under Active Directory Properties. Using this we can search for any ASC and AADIP alerts for your tenant that should be showing up from the API.

jwes
  • 9
  • 1
  • Graph Explorer allows to modify permission and grant the SecurityEvents.Read.All, SecurityEvents.ReadWriteAll (and also User.Read.All that I think is also required). This article actually describes how to use graph explorer with Delegated Authentication https://techcommunity.microsoft.com/t5/Using-Microsoft-Graph-Security/Authorization-and-Microsoft-Graph-Security-API/m-p/184376#M2 We do have alers from ASC and AADPI newer than 30 days in both tenants. In any case I don't feel comfortable sharing our Tenant Ids here. Perhaps I can get in touch with you in private? Twitter? Reddit? – Christian Rodriguez May 10 '18 at 13:28
  • Christian, message me on LinkedIn at https://www.linkedin.com/in/wescottjason/ and I will give you my Microsoft email address so we can investigate. – jwes May 11 '18 at 18:32
  • Jason, I don't have a paid linked in so I can't message you, I've sent you a request to add me in your network. If you want you can message me your Microsoft email on https://www.linkedin.com/in/christian-rodriguez-16334671/ Thanks in advance – Christian Rodriguez May 16 '18 at 08:04
  • Christian, looks like you found our emails. I'll reply to that thread to ensure this is resolved. You said your authentication errors are resolved but didn't mention the empty set issues. I'll take it up on that mail thread. – jwes May 18 '18 at 00:03
0

MS got in touch with me and solved the issue:

https://techcommunity.microsoft.com/t5/Using-Microsoft-Graph-Security/https-graph-microsoft-com-beta-security-alerts-Not-returning-any/m-p/191898#M5

Also thanks @jwes (also MS) for your assistance.

Christian Rodriguez
  • 944
  • 1
  • 9
  • 20