Retrieve a list of alerts.

External Documentation

To learn more, visit the Microsoft Defender For Cloud Apps documentation.

Basic Parameters

ParameterDescription
FiltersFilter objects with all the search filters for the request, see alert filters for more details.
For example, filter for open alerts form the last 2 days:
{
"alertOpen": {
"eq": true
},
"date": {
"lte_ndays": 2
}
}

Advanced Parameters

ParameterDescription
LimitNumber of records returned by the request.
SkipSkips the specified number of records.
Sort DirectionThe sorting direction. Possible values are: asc and desc.
Sort FieldFields used to sort alerts. Possible values are:
- date: The date when then the alert was created.
- severity: The severity of the alert.

Example Output

{
	"data": [
		{
			"_id": "603f704aaf7417985bbf3b22",
			"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
			"description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
			"entities": [
				{
					"entityRole": "Source",
					"entityType": 2,
					"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
					"inst": 0,
					"label": "user1",
					"pa": "user1@contoso.com",
					"saas": 11161,
					"type": "account"
				},
				{
					"entityRole": "Related",
					"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
					"label": "DC3",
					"type": "device"
				},
				{
					"id": 20940,
					"label": "Active Directory",
					"type": "service"
				},
				{
					"entityRole": "Related",
					"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
					"label": "DC4",
					"type": "device"
				},
				{
					"id": "5bfd18bfab73c36ba10d38ca",
					"label": "Honeytoken activity",
					"policyType": "ANOMALY_DETECTION",
					"type": "policyRule"
				},
				{
					"entityRole": "Source",
					"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
					"label": "Client1",
					"type": "device"
				},
				{
					"entityRole": "Related",
					"id": "d68772fe-1171-4124-9f73-0f410340bd54",
					"label": "DC1",
					"type": "device"
				},
				{
					"type": "groupTag",
					"id": "5f759b4d106abbe4a504ea5d",
					"label": "All Users"
				}
			],
			"idValue": 15795464,
			"isSystemAlert": false,
			"resolutionStatusValue": 0,
			"severityValue": 1,
			"statusValue": 1,
			"stories": [
				0
			],
			"threatScore": 34,
			"timestamp": 1621941916475,
			"title": "Honeytoken activity",
			"comment": "",
			"handledByUser": "administrator@contoso.com",
			"resolveTime": "2021-05-13T14:02:34.904Z",
			"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
		}
	],
	"hasNext": false,
	"max": 1,
	"total": 1,
	"moreThanTotal": false
}

Workflow Library Example

List Alerts with Microsoft Defender for Cloud Apps and Send Results Via Email

Preview this Workflow on desktop

Retrieve a list of alerts.

External Documentation

To learn more, visit the Microsoft Defender For Cloud Apps documentation.

Basic Parameters

ParameterDescription
FiltersFilter objects with all the search filters for the request, see alert filters for more details.
For example, filter for open alerts form the last 2 days:
{
"alertOpen": {
"eq": true
},
"date": {
"lte_ndays": 2
}
}

Advanced Parameters

ParameterDescription
LimitNumber of records returned by the request.
SkipSkips the specified number of records.
Sort DirectionThe sorting direction. Possible values are: asc and desc.
Sort FieldFields used to sort alerts. Possible values are:
- date: The date when then the alert was created.
- severity: The severity of the alert.

Example Output

{
	"data": [
		{
			"_id": "603f704aaf7417985bbf3b22",
			"contextId": "206e2965-6533-48a6-ba9e-794364a84bf9",
			"description": "Contoso user performed 11 suspicious activities MITRE Technique used Account Discovery (T1087) and subtechnique used Domain Account (T1087.002)",
			"entities": [
				{
					"entityRole": "Source",
					"entityType": 2,
					"id": "6204bdaf-ad46-4e99-a25d-374a0532c666",
					"inst": 0,
					"label": "user1",
					"pa": "user1@contoso.com",
					"saas": 11161,
					"type": "account"
				},
				{
					"entityRole": "Related",
					"id": "55017817-27af-49a7-93d6-8af6c5030fdb",
					"label": "DC3",
					"type": "device"
				},
				{
					"id": 20940,
					"label": "Active Directory",
					"type": "service"
				},
				{
					"entityRole": "Related",
					"id": "95c59b48-98c1-40ff-a444-d9040f1f68f2",
					"label": "DC4",
					"type": "device"
				},
				{
					"id": "5bfd18bfab73c36ba10d38ca",
					"label": "Honeytoken activity",
					"policyType": "ANOMALY_DETECTION",
					"type": "policyRule"
				},
				{
					"entityRole": "Source",
					"id": "34f3ecc9-6903-4df7-af79-14fe2d0d4553",
					"label": "Client1",
					"type": "device"
				},
				{
					"entityRole": "Related",
					"id": "d68772fe-1171-4124-9f73-0f410340bd54",
					"label": "DC1",
					"type": "device"
				},
				{
					"type": "groupTag",
					"id": "5f759b4d106abbe4a504ea5d",
					"label": "All Users"
				}
			],
			"idValue": 15795464,
			"isSystemAlert": false,
			"resolutionStatusValue": 0,
			"severityValue": 1,
			"statusValue": 1,
			"stories": [
				0
			],
			"threatScore": 34,
			"timestamp": 1621941916475,
			"title": "Honeytoken activity",
			"comment": "",
			"handledByUser": "administrator@contoso.com",
			"resolveTime": "2021-05-13T14:02:34.904Z",
			"URL": "https://contoso.portal.cloudappsecurity.com/#/alerts/603f704aaf7417985bbf3b22"
		}
	],
	"hasNext": false,
	"max": 1,
	"total": 1,
	"moreThanTotal": false
}

Workflow Library Example

List Alerts with Microsoft Defender for Cloud Apps and Send Results Via Email

Preview this Workflow on desktop