I'm trying to use the Microsoft Graph Security API to fetch security alerts for a specific user. It looks like I should be using the filter parameter. But I can't figure out the property to search on. I can't find the common schema defined anywhere.
Only finding generic documentation like this https://learn.microsoft.com/en-us/graph/query-parameters#filter-parameter
Is there a schema that I can reference?
Asked
Active
Viewed 145 times
0
Barry Rosenberg
- 268
- 5
- 11
1 Answers
0
If you want to get a name of the analyst the alert is assigned to for triage, investigation, or remediation then you can use assignedTo property.
Filter by analyst name
GET https://graph.microsoft.com/v1.0/security/alerts?$filter=assignedTo eq '{analyst_name}'
If you want to get security-related stateful information generated by the provider about the user accounts related to alerts then you can use userStates property.
Filter by user related to the alerts
GET https://graph.microsoft.com/v1.0/security/alerts?$filter=userStates/any(d:d/userPrincipalName eq '{user_mail}')
Resources:
user2250152
- 14,658
- 4
- 33
- 57
-
Do you know if there are similar OData filters that can be used on the alert evidence for the alerts_v2 endpoint to accomplish the same thing? – rink.attendant.6 Aug 09 '23 at 00:49