Get Custom Details from Sentinel
How do I go about getting the custom details set using https://learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts using REST API? I need to do this outside of logic app and using REST API. The incidents API endpoint doesn’t provide this detail and I couldn’t find any API endpoint listed in https://learn.microsoft.com/en-us/rest/api/securityinsights/operation-groups?view=rest-securityinsights-2024-01-01-preview that would allow me get to get the custom details with the values. Is there a sentinel or a graph API endpoint that’ll allow for me to get this information?Microsoft Defender "XDR" endpoint API Access (Powershell Script)
Hi Everyone, We are trying to access different part of Microsoft Defender. More precisely Endpoint after the XDR integration. We want to be able to get the different Permission Role and Device Group created. Also, the list of all advanced feature if they are enabled or not. We want to be able to get information like this The thing is, we try in a lot of way and could not find documentation about this precise request. We try with Graph Api and Rest Api. Always got error 401 (No permission). Could it be that those API are Private API from Microsoft ? https://security.microsoft.com/apiproxy/mtp/rbacManagementApi/rbac/user_roles https://security.microsoft.com/apiproxy/mtp/rbacManagementApi/rbac/machine_groups https://security.microsoft.com/apiproxy/mtp/settings/GetAdvancedFeaturesSetting
Major Delay with /alerts endpoint
Hey folks, I've been seeing some significant delays with the /alerts API endpoint. Ball park range of 2-5 hours. For example, there is an alert in Azure Sentinel that fires at ~13:00 UTC (based on TimeGenerated field). Our internal process that polls for new events from /alerts every ~2-3minutes doesn't pick up this new alert until ~17:00 UTC. I know there is the /alerts_v2 endpoint, and we're working on upgrading our processes to use that - but for the time being, I'm trying to find a solution / answer to this particular endpoint. Anyone experience this or have any insights?
MS Graph Authorization issue (Status code 401) - Power Automate Flow for Copilot Studio
Hi Folks, I am trying to develop a MS Power Automate Flow that can post QMS documents information to Copilot Studio bot based on users' question. I am using 'Create text with GPT using Prompt" to extract users' intention about documents from their natural language. Then use HTTP connector to post the results to Copilot Studio bot. I have done all the steps: 1. Registered App in Azure Portal 2. Granted Sites.Selected (Read) permission to my app so that it can read the information from QMS document library in SharePoint. We only want the app permission related to subsite not the whole site. The issue I am facing is that the HTTP action is still showing unauthorized Status code 401. Could you guide me if there is something incomplete or insufficient? Many thanks. After running please see below error: Best regards, perlite77
Connect Swimlane to pull Defender for Cloud Alerts
using Swimlane to ingest our alerts from Defender for cloud, I have setup our Access with the following items: URL: https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts?api-version=2022-01-01https://graph.microsoft.com/v1.0/security/alerts Token URL: https://login.microsoftonline.com/tenant-ID/oauth2/v2.0/token Client ID: pulled from Registered App Client Secret: Created a New Ceretificates & secrets and added that Value Scope: https://graph.microsoft.com/.default When I run my Action to capture the "List of Alerts", I receive the following error: "reason": "Bad Request", "json_body": { "error": "invalid_request", "error_description": "AADSTS90014: The required field 'scope' is missing from the credential. Ensure that you have all the necessary parameters for the login request...." What parameters and how are those added and to which section? I'm new to API calls and not sure of the process. Appreciate your help, Serge403 Forbidden error when using create team Graph API
Hi, I have been using the create team API, it was working fine couple days back, there was no change in permissions or even in the code. Since 2 days we are facing 403 forbidden error. URL: https://graph.microsoft.com/v1.0/teams with request payload as mentioned below: { "email address removed for privacy reasons": "https://graph.microsoft.com/v1.0/teamsTemplates('standard')", "displayName": "Architecture test Team", "description": "The team for those in architecture design." } I have provided the required permissions for both application as well as delegated. Please find screenshot of the same The response is: { "error": { "code": "Forbidden", "message": "Failed to execute Templates backend request CreateTeamFromTemplateRequest. Request Url: https://teams.microsoft.com/fabric/apac/templates/api/team, Request Method: POST, Response Status Code: Forbidden, Response Headers: Strict-Transport-Security: max-age=2592000x-operationid: e0e36994bd8341ce936b7ef080a64f52x-telemetryid: 00-e0e36994bd8341ce936b7ef080a64f52-49c1a1267b1789f1-01X-MSEdge-Ref: Ref A: 21AF592ACFD244CA86C67D5750C3F243 Ref B: TYO01EDGE2718 Ref C: 2023-07-19T20:16:46ZDate: Wed, 19 Jul 2023 20:16:46 GMT, ErrorMessage : {\"errors\":[{\"message\":\"Error when calling Middle Tier. Message: ''. Error code: 'GetApplicableSkuCategoriesForUserFailed'. Status code: Forbidden.\",\"errorCode\":\"Unknown\"}],\"operationId\":\"e0e36994bd8341ce936b7ef080a64f52\"}", "innerError": { "message": "Failed to execute Templates backend request CreateTeamFromTemplateRequest. Request Url: https://teams.microsoft.com/fabric/apac/templates/api/team, Request Method: POST, Response Status Code: Forbidden, Response Headers: Strict-Transport-Security: max-age=2592000x-operationid: e0e36994bd8341ce936b7ef080a64f52x-telemetryid: 00-e0e36994bd8341ce936b7ef080a64f52-49c1a1267b1789f1-01X-MSEdge-Ref: Ref A: 21AF592ACFD244CA86C67D5750C3F243 Ref B: TYO01EDGE2718 Ref C: 2023-07-19T20:16:46ZDate: Wed, 19 Jul 2023 20:16:46 GMT, ErrorMessage : {\"errors\":[{\"message\":\"Error when calling Middle Tier. Message: ''. Error code: 'GetApplicableSkuCategoriesForUserFailed'. Status code: Forbidden.\",\"errorCode\":\"Unknown\"}],\"operationId\":\"e0e36994bd8341ce936b7ef080a64f52\"}", "code": "AccessDenied", "innerError": {}, "date": "2023-07-19T20:16:46", "request-id": "e0e36994-bd83-41ce-936b-7ef080a64f52", "client-request-id": "4aa73188-19d4-9382-2235-0530552047ec" } } } Any help in this regard is appriciated. Thank you.How to use multiple filter operations in beta Graph API?
I am trying to run the following API: https://graph.microsoft.com/beta/users?$count=true&$filter=signInActivity/lastSignInDateTime le 2022-09-01T00:00:00Z and endsWith(mail,'@alumni.xxx.xxx') and I get the following response: { "error": { "code": "BadRequest", "message": "Filter not supported.", "innerError": { "date": "2022-12-22T19:21:39", "request-id": "d994b51c-xxxx-xxxx-b0d5-97a8923ab5t9", "client-request-id": "d302b51c-xxxx-yyyy-zzzz-12a8035ce9r9" } } } Any idea as to what I'm doing wrong? ThxAuditing / Configuring Defender Alerts/Rules/Emails/Notifications
Hey there! I am trying to find a way to audit (and hopefully configure!) the Defender notification emails to make sure they are configured to send to our helpdesk, so it can start our ticketing process. Short of creating a custom application, and trying to subscribe or poll manually across every tenant, the best I have found so far is manually opening these for every separate customer to try and setup the settings So starting from https://security.microsoft.com for each customer, going to Settings, and following the mentioned path, or navigating to the URL on the right in turn with each customer tenantID filled in Incident Notifs M365 Defender > Email Notifs > Incidents https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleTy...<EachCustomerTenantID> Actions M365 Defender > Email Notifs > Actions https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleTy...<EachCustomerTenantID> Threat Analytics M365 Defender > Email Notifs > Threat Analytics https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleTy...<EachCustomerTenantID> Alert Tuning/Suppression M365 Defender > Alert Tuning https://security.microsoft.com/securitysettings/defender/alert_suppression?tid=<EachCustomerTenantID> Endpoint Alerts Endpoints > Email Notifications > Alerts https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=alerts&tid...<EachCustomerTenantID> Endpoint Vulnerabilities Endpoints > Email Notifications > Vulnerabilities https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=vulnerabil...<EachCustomerTenantID> Identity Health Notifs Microsoft Defender for Identity > Health Issues https://security.microsoft.com/settings/identities?tabid=healthIssuesNotifications&tid=<EachCustomerTenantID> Identity Alerts Microsoft Defender for Identity > Alert https://security.microsoft.com/settings/identities?tabid=securityAlertsNotifications&tid=<EachCustomerTenantID> I can easily get Incidents or Alerts for a specific tenant, even across tenants through DAP/GDAP/CSP rights. However - rather than querying hundreds of tenants, or trying to set up WebHook subscriptions or similar for them - I was going to just start with Auditing (and possibly manually configuring) the Notification Emails and Alerts to send an email to our ticketing system that we could follow up on. However, I can't find any PowerShell commands or API where I can access these notification settings (access the actual ALERTS themselves, no problem, but not audit the actual Notification Configuration on more than an individual Alert/Incident level) The backend of security.microsoft.com uses private API endpoints like https://security.microsoft.com/apiproxy/mtp/k8s/settings/ThreatAnalyticNotificationsSettings or https://security.microsoft.com/apiproxy/mtp/k8s/cloud/public/internal/IncidentNotificationSettingsV2 as an example for Incident Notifications. The list above is the URLs that you access as the Administrator to configure these by hand, but I am hoping to find a way to get API/Programmatic/Scripted access to these values - but I cannot find any (public) API that seems to access them other than manually. Does anyone have an idea?Issues with timespan on log analytics query API
Hi, This appears to be the best place for this query: We've been trying to set the API timespan for log analytics queries. However, even when using the correct ISO8601 format (PT1H for example), it does not work as it should - it does not work in a comparable manner to using the time period piece in the UI. There is no difference between using the Timespan piece and not - it returns the same details either way, in the example I was testing, multiple weeks worth (no time period was set inside the query). Query - Get - REST API (Azure Log Analytics) | Microsoft Learn Is this a bug, or is there a different format required for this? We have also tried with 1H, 01:00:00, etc., to no avail. Many thanks, Keith
microsoftgraph / security-api-solutions for MISP giving access_token error
Hi all, I am trying to integrate MISP feeds to Sentinel and followed the steps as per the documentation - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/integrating-open-source-threat-feeds-with-misp-and-sentinel/ba-p/1350371 https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/MISP I am stuck at the last step where we have to run the script.py in order to push the feeds to sentinel. I am getting the error of access_token Traceback (most recent call last): File "script.py", line 100, in <module> main() File "script.py", line 93, in main with RequestManager(total_indicators) as request_manager: File "/home/srvadmin/mispToSentinel/security-api-solutions/Samples/MISP/RequestManager.py", line 42, in __enter__ access_token = self._get_access_token( File "/home/srvadmin/mispToSentinel/security-api-solutions/Samples/MISP/RequestManager.py", line 70, in _get_access_token access_token = requests.post( KeyError: 'access_token' I am unable to identify where the script is failing and how to rectify it.
