Skip to main content
List endpoint defender alerts. The following permissions are required to run this action:
  • Alert.Read.All
  • Alert.ReadWrite.All
External DocumentationTo learn more, visit the Microsoft Defender For Endpoints documentation.

Parameters

ParameterDescription
FilterThe filter to apply on the operation. You can filter by alertCreationTime, lastUpdateTime, incidentId, InvestigationId, id, asssignedTo, detectionSource, lastEventTime, status, severity and category.
For more information: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-odata-samples?view=o365-worldwide
LimitThe amount of results which will be returned. Max value is 10,000.
OffsetThe offset of the item at which to begin the response.

Example Output

{
	"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
	"value": [
		{
			"id": "da637308392288907382_-880718168",
			"incidentId": 7587,
			"investigationId": 723156,
			"assignedTo": "secop123@contoso.com",
			"severity": "Low",
			"status": "New",
			"classification": "TruePositive",
			"determination": null,
			"investigationState": "Queued",
			"detectionSource": "WindowsDefenderAv",
			"category": "SuspiciousActivity",
			"threatFamilyName": "Meterpreter",
			"title": "Suspicious 'Meterpreter' behavior was detected",
			"description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
			"alertCreationTime": "2020-07-20T10:53:48.7657932Z",
			"firstEventTime": "2020-07-20T10:52:17.6654369Z",
			"lastEventTime": "2020-07-20T10:52:18.1362905Z",
			"lastUpdateTime": "2020-07-20T10:53:50.19Z",
			"resolvedTime": null,
			"machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
			"computerDnsName": "temp123.middleeast.corp.microsoft.com",
			"rbacGroupName": "MiddleEast",
			"aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
			"threatName": null,
			"mitreTechniques": [
				"T1064",
				"T1085",
				"T1220"
			],
			"relatedUser": {
				"userName": "temp123",
				"domainName": "DOMAIN"
			},
			"comments": [
				{
					"comment": "test comment for docs",
					"createdBy": "secop123@contoso.com",
					"createdTime": "2020-07-21T01:00:37.8404534Z"
				}
			],
			"evidence": []
		}
	]
}

Workflow Library Example

List Alerts with Microsoft Defender for Endpoints and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop