Search code examples
office365microsoft-graph-apimicrosoft-graph-security

Microsoft Graph Security API Gives 206, Empty `values`

I am trying to retrieve security events and/or alerts from the Microsoft Graph Security API. The end goal is to get EOP events.

When I submit the request:

GET https://graph.microsoft.com/v1.0/security/alerts

I get this:

HTTP/1.1 206 Partial Content
Cache-Control: private
Warning: 199 - "Microsoft/WDATP/401/16"
Content-Type: application/json;odata.metadata=minimal;odata.streaming=true;IEEE754Compatible=false;charset=utf-8
request-id: [REDACTED]
client-request-id: [REDACTED]
x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"West US","Slice":"SliceC","Ring":"5","ScaleUnit":"003","Host":"AGSFE_IN_22","ADSiteName":"WUS"}}
OData-Version: 4.0
Duration: 399.4425
Strict-Transport-Security: max-age=31536000
Date: Thu, 18 Oct 2018 00:36:42 GMT
Content-Length: 90

{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#Security/alerts","value":[]}

I feel it's worth noting that I see an alert for a phishing campaign with 11 attempts total and 1 attempt today on the Office 365 Security and Compliance Center's Reports Dashboard (what a mouthful).

I tried to treat it like a proper 206, but Accept-Ranges is not set, HEAD is not allowed, and passing Range: bytes=0-10000 changes nothing. I also noticed the Warning: 199 - "Microsoft/WDATP/401/16" header, which follows {Vendor}/{Provider}/{StatusCode}/{LatencyInMs}, but I am unsure why it is occurring. Even if it is occuring, I need EOP logs, not Windows Defender ATP logs, so I am hoping I can ignore this.

Additional info:

  • I set up the app following this document (except I granted SecurityEvents.Read.All as an application permission).
  • I am using Python requests, and am only setting the Authorization header (except for when I was messing around with the Range header). I have also tried this with Fiddler.
  • My organization has EOP (comes with Exchange), but not Office 365 ATP. Getting ATP working would be nice, but is not necessary. Getting EOP logs/events/alerts/whatever is my mail goal.

EDIT: SOLUTION FOR EOP LOGS I finally found an endpoint to programmatically get EOP logs. The user accessing it can't have MFA and there is some poorly documented rate limiting, but otherwise it looks good. For details, see this page. Specifically, I GET this page to view my permissions, and GET this page to view the messages (don't be fooled by your browser's RSS feed view, there is a lot of data there).

Solution

  • The reason you are not getting any alerts back from the Security API is because Office 365 is not fully integrated to the API today. Office 365 is listed as coming soon on the list of current providers on the Microsoft Graph Security API page.

    From the warning header you received, it looks like you have a WDATP subscription but don't have the required role in WDATP. In order to get alerts from WDATP the user must have the correct roles to view the alerts. Permissions needed in WDATP are View data to access the portal and the API to GET alerts, and Investigate alerts to PATCH alerts in WDATP. For steps to add the required roles, read Create and manage roles for role-based access control.

    If you want to get alerts from the Security API you could register for a trial with Azure Security Center and generate an alert in your tenant.

    How to Generate an ASC Alert: After the Security Center agent is installed on your computer, follow the steps below from the computer where you want to be the attacked resource of the alert:

    1. Copy an executable (for example calc.exe) to the computer’s desktop, or other directory of your convenience.
    2. Rename this file to ASC_AlertTest_662jfi039N.exe.
    3. Open the command prompt and execute this file with an argument (just a fake argument name), such as: ASC_AlertTest_662jfi039N.exe -foo