You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
We have a custom detection method that creates alerts when emails from a specific domain are blocked. The category the alerts fall under is 'Collection' when querying these alerts via graph explorer or the graph security connector in power automate, the results are blank.
To Reproduce
Steps to reproduce the behavior:
Create a custom detection method in security.microsoft.com
##########Detection Query##############
EmailEvents
| where SenderFromDomain in ("emaildomain.com")
| where Timestamp >= ago(1d)
| where not(DeliveryLocation has "Inbox" or DeliveryLocation has "Forwarded" or DeliveryLocation has "Deleted" or DeliveryLocation has "On-premises")
| summarize Count = count(), Timestamp = max(Timestamp), ReportId = max(ReportId) by Subject, DeliveryLocation, RecipientEmailAddress
| project Subject, DeliveryLocation, Count, Timestamp, RecipientEmailAddress, ReportId
| sort by Count desc
####################################
Describe the bug
We have a custom detection method that creates alerts when emails from a specific domain are blocked. The category the alerts fall under is 'Collection' when querying these alerts via graph explorer or the graph security connector in power automate, the results are blank.
To Reproduce
Steps to reproduce the behavior:
##########Detection Query##############
EmailEvents
| where SenderFromDomain in ("emaildomain.com")
| where Timestamp >= ago(1d)
| where not(DeliveryLocation has "Inbox" or DeliveryLocation has "Forwarded" or DeliveryLocation has "Deleted" or DeliveryLocation has "On-premises")
| summarize Count = count(), Timestamp = max(Timestamp), ReportId = max(ReportId) by Subject, DeliveryLocation, RecipientEmailAddress
| project Subject, DeliveryLocation, Count, Timestamp, RecipientEmailAddress, ReportId
| sort by Count desc
####################################
Custom detection method settings:
-https://graph.microsoft.com/v1.0/security/alerts?$filter=category eq 'Collection'
Expected behavior
Alerts created from custom detection methods or alerts with the category Collection can be queried from the Graph API
Screenshots
Desktop (please complete the following information):
Additional Context
I have tried querying the alerts through other means (title, severity, etc.), the API does not return any info on these alerts
The text was updated successfully, but these errors were encountered: