https://graph.microsoft.com/beta/security/alerts Not returning any data: value: []

Question

The new Microsoft Graph Security API should return data from different security providers, for now, Azure AD Identity Protection and Azure Security Center.

But https://graph.microsoft.com/beta/security/alerts is not returning any data (value: []).

We've tested the /security/alerts API from 2 different tenants. In both tenants, we have Azure AD Identity Protection and Azure Security Center Alerts. We can see those alerts from their respective blades in Azure Portal but /beta/security/alerts returns:

{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#Security/alerts",
  "value": []
}

We're authenticated with proper permissions. We've tried it from the Graph Explorer and from both c# samples (desktop and asp.net)

Any ideas?

Answer 1

MS got in touch with me and solved the issue:

https://techcommunity.microsoft.com/t5/Using-Microsoft-Graph-Security/https-graph-microsoft-com-beta-security-alerts-Not-returning-any/m-p/191898#M5

Also thanks @jwes (also MS) for your assistance.

Answer 2

Graph Explorer will not work at present for the Security API unless you don't login. In that case you will get the demo data. If you do login you should see 'unauthorized' (not and empty set). Graph Explorer currently does not ask for the permissions needed to access the Security API.

That aside, if you are using your own code as you indicated, you should be seeing any alerts you see in the portal, as long as they are newer than 30 days old. The Security API will only return alerts up to 30 days old for these two products right now.

So, if you have alerts newer than 30 days, and still are getting an empty set returned, then there may be an issue we'd like to look into. Please reply with your Directory ID. This GUID can be found looking in the Azure Portal under Active Directory Properties. Using this we can search for any ASC and AADIP alerts for your tenant that should be showing up from the API.