'Fetch Microsoft Security Alerts for a specific user

I'm trying to use the Microsoft Graph Security API to fetch security alerts for a specific user. It looks like I should be using the filter parameter. But I can't figure out the property to search on. I can't find the common schema defined anywhere. Only finding generic documentation like this https://docs.microsoft.com/en-us/graph/query-parameters#filter-parameter Is there a schema that I can reference?

microsoft-graph-api microsoft-graph-security

Solution 1:^[1]

If you want to get a name of the analyst the alert is assigned to for triage, investigation, or remediation then you can use assignedTo property.

Filter by analyst name

GET https://graph.microsoft.com/v1.0/security/alerts?$filter=assignedTo eq '{analyst_name}'

If you want to get security-related stateful information generated by the provider about the user accounts related to alerts then you can use userStates property.

Filter by user related to the alerts

GET https://graph.microsoft.com/v1.0/security/alerts?$filter=userStates/any(d:d/userPrincipalName eq '{user_mail}')

Resources:

Alert resource type

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution	Source
Solution 1	user2250152

'Fetch Microsoft Security Alerts for a specific user

Solution 1:[1]

Sources

Related Questions

Solution 1:^[1]