Forum Discussion
Microsoft Graph Security API response does not have all info.
GET securityalertsalertsId http request was successfully made and received. The alert was a DLP alert and it contained the file path and file name associated with it in the actual defender tool. However, the http request did not return that information back despite it having a return parameter of filestates.
1 Reply
The Microsoft Graph Security API aggregates alerts from multiple security providers but does not expose all detailed fields seen in the native Defender tools, especially for DLP alerts. While the API returns alert data including a filestates property, it may not include detailed file path or file name information visible in the Defender portal for DLP alerts. This is because:
- DLP alerts originate from Microsoft Purview DLP policies managed in the Compliance Center, which currently does not fully expose detailed DLP alert data via the Graph Security API.
- The Graph Security API focuses on unified alert metadata and may omit some contextual details that remain only in the native tools.
- For related user activities or detailed file info, advanced hunting queries or other Microsoft 365 Defender APIs might be required instead.
In summary, the missing file path and name in the API response is a known limitation due to the separation of DLP alert management in Purview and the unified but abstracted view the Graph Security API provides. To get full DLP alert details, consider using the Microsoft 365 Compliance Center or advanced hunting queries rather than relying solely on the Graph Security API alert endpoint.
