I am trying to pull the base events related to an alert no Sentinel via API, however Graph Security API really doesn't return much. I am unable to see mapped entities or the extended properties.
I've tried using the "expand" option in url to expand the properties but no luck. Honestly I really don't see a lot of info in Graph API that I would normally see in a search.
Also, is there a way for the for me to find the base events of a search from the alert id?
https://graph.microsoft.com/v1.0/security/alerts/{alert id}?$expand=extendedproperties
https://graph.microsoft.com/v1.0/security/alerts/{alert id}?$expand=extended
https://graph.microsoft.com/v1.0/security/alerts/{alert id}?$expand=properties
https://graph.microsoft.com/v1.0/security/alerts/{alert id}?$expand=extensions
The alert properties including extended properties from multiple security providers (Azure Sentinel is one of them) are mapped to a common schema of Graph Security API. The details of the Query field in Azure Sentinel may appear under different fields in Graph Security alert. If any of the fields aren't there, then they will be added in the product roadmap as we are continuing enriching the alert contextual information.