For some odd reason the results that I am getting from the Graph Security API the past two days are inaccurate and I can't for the life of me figure out why.
If I query https://graph.microsoft.com/v1.0/security/alerts I am returned 7 old alerts without any obvious relationship, rhyme, or reason for populating my results. These are not the 7 most recent, and we have had more than 7 alerts.
For example, when attempting to append $filter=vendorInformation/provider eq 'Microsoft Defender ATP' I receive:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Security/alerts",
"value": []
}
This issue appears to extend for me across all of the MTP services.
I can see the alerts within MDATP, and others like MCAS and ASC for example when navigating directly to those portals or querying their platform specific api's, like https://api-us.securitycenter.windows.com/api/alerts for example.
I am getting data returned, it is just not the right data.
I am utilizing a Postman App registration with the SecurityEvents.Read.All and SecurityEvents.ReadWrite.All "Granted for MYDOMAIN".
I feel like I am missing something here. Any one else having issues? More than happy to share additional details that would be useful.
Thank you for your feedback. Our MDATP team has identified and fixed the issue and it should now work as expected.