Blog Post

Microsoft Defender XDR Blog
8 MIN READ

Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability

Michael Shalev's avatar
Michael Shalev
Former Employee
May 18, 2022
We're happy to share that Microsoft 365 Defender Streaming API support for the following event types (tables) is General Availability: Identity events IdentityLogonEvents IdentityQueryEven...
Updated Jul 06, 2022
Version 4.0
automation
microsoft defender for cloud apps
microsoft defender for identity
quinzy's avatar
quinzy
Copper Contributor
May 30, 2022

Hi, I am using powerbi:

like described 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-power-bi

but for the new tables. It gives me an error

DataSource.Error. Web.Contents failed to get contents from 'https://api.securitycenter.microsoft.com/api/advancedqueries?key=ldentityLogonEvents%20%7C%20where%20ActionType%20%21contains%20%27LogonSuccess%27' (400): Bad Request Details DataSourceKind = Web DataSourcePath = https://api.securitycenter.microsoftcom/api/advancedqueries Url = https://api.securitycenter.microsoft.com/api/advancedqueries?key=ldentityLogonEvents%20%7C%20where%20ActionType%20%21contains%20%27LogonSuccess%27

this is my query in powerbi

 

let
  AdvancedHuntingQuery = "IdentityLogonEvents | where ActionType !contains 'LogonSuccess'",
  HuntingUrl = "https://api.securitycenter.microsoft.com/api/advancedqueries",
  Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
  TypeMap = #table(
            { "Type""PowerBiType" },
            {
                { "Double",   Double.Type },
                { "Int64",    Int64.Type },
                { "Int32",    Int32.Type },
                { "Int16",    Int16.Type },
                { "UInt64",   Number.Type },
                { "UInt32",   Number.Type },
                { "UInt16",   Number.Type },
                { "Byte",     Byte.Type },
                { "Single",   Single.Type },
                { "Decimal",  Decimal.Type },
                { "TimeSpan", Duration.Type },
                { "DateTime", DateTimeZone.Type },
                { "String",   Text.Type },
                { "Boolean",  Logical.Type },
                { "SByte",    Logical.Type },
                { "Guid",     Text.Type }
            }),
  Schema = Table.FromRecords(Response[Schema]),
  TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name""Type"}), {"Type"}, TypeMap, {"Type"}),
  Results = Response[Results],
  Rows = Table.FromRecords(Results, Schema[Name]),
  Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})),
  #"Sorted rows" = Table.Sort(Table, {{"count_DeviceId", Order.Descending}}),
  #"Filtered rows" = Table.SelectRows(#"Sorted rows", each [VulnerabilitySeverityLevel] = "Critical")
in
  #"Filtered rows"
 
so likely it is not ok 😞
or is there a new hunting url for it , if so the page need to be refresh. Can you help me with it
kind regards
Quinzy