Microsoft Graph Security API Alerts v2 Troubleshooting🔗

This document provides troubleshooting guidance for the Microsoft Graph Security API Alerts v2 integration, including steps to take when alerts visible in the Microsoft Defender portal do not appear to be ingested into Secureworks® Taegis™ XDR.

Why Alerts May Be Missing in XDR🔗

Microsoft has transitioned from the legacy Graph Security Alerts API (/security/alerts) to the newer Unified Alerts API (/security/alerts_v2). Because these APIs retrieve alerts from different backend systems, the alerts returned by each API may not be identical.

The legacy alerts API aggregates alerts from multiple security providers through the Microsoft Graph Security federation layer.
The alerts_v2 API retrieves alerts from the Microsoft Defender XDR unified alert system.

As a result, alerts available through the legacy API may not appear in alerts_v2 unless those alert providers are properly integrated with Microsoft Defender.

To ensure consistent alert visibility in XDR, validate that all of your security alert providers are connected to Microsoft Defender and that alerts are visible in the Defender unified alert experience.

Summary🔗

API	Backend	What It Retrieves
Legacy Graph alerts API (`/security/alerts`)	Microsoft Graph Security federation layer	Aggregated alerts from multiple providers
Unified alerts API (`/security/alerts_v2`)	Microsoft Defender XDR unified alert system	Alerts that flow through the Defender unified experience

Because of this architectural difference, alerts returned by each API may not always match unless all alert providers are integrated with Microsoft Defender.

Troubleshooting Steps🔗

Step 1: Verify Access to Microsoft Defender🔗

Confirm that your tenant can access the Microsoft Defender portal and that alerts are being generated.

Open the Microsoft Defender portal.
Go to Incidents & alerts > Alerts.
Confirm that alerts are present in this view.

If alerts appear here, they should also be accessible through the Microsoft Graph unified alerts API (alerts_v2), assuming proper API permissions are configured.

For more information, see Microsoft's documentation:

Step 2: Identify Security Alert Providers in Your Tenant🔗

The Microsoft Graph Security API aggregates alerts from several security services. Examples include:

Microsoft Defender for Endpoint
Microsoft Defender for Office 365
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud
Microsoft Entra ID Protection

If alerts originate from a provider that is not integrated with Microsoft Defender XDR, they may appear in the legacy API but not in the unified alerts API.

For information about the Microsoft Graph Security API architecture and supported providers, see Use the Microsoft Graph security API.

Step 3: Confirm Defender Workloads Are Connected🔗

Within the Microsoft Defender portal:

Go to Settings.
Select Endpoints, Identities, Cloud Apps, or Email & collaboration, depending on the workload.
Confirm the workload shows as enabled or onboarded.

Each Defender workload must be properly configured and generating alerts for those alerts to appear in the unified alerts system.

For more information, see Microsoft's documentation:

Step 4: Compare Alerts between Defender and the API🔗

To validate API ingestion:

In the Microsoft Defender portal, go to Incidents & alerts > Alerts.
Filter alerts to a recent time window.
Compare alert IDs and timestamps with the alerts ingested into XDR via the API.

This comparison helps confirm whether alerts visible in Defender are also being retrieved through the Microsoft Graph API.

When to Escalate🔗

If alerts visible in the Microsoft Defender portal are not appearing in XDR, contact support with the relevant alert IDs and timestamps so we can assist with further investigation.
If you determine that alerts cannot be integrated with Defender through their unified alert workflow, contact Microsoft for support, as the limitation is on the Microsoft side.