SOLVED
Home

Send to analytics data collector errors

%3CLINGO-SUB%20id%3D%22lingo-sub-557911%22%20slang%3D%22en-US%22%3ESend%20to%20analytics%20data%20collector%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-557911%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20two%20playbooks%20that%20collect%20logs%20in%20JSON%20format%20from%20a%203rd%20party%20API%20(Proofpoint%20TAP%20and%20Cisco%20AMP%20for%20endpoints).%26nbsp%3B%20When%20I%20run%20the%20playbooks%20I%20can%20see%20that%20each%20one%20gets%20data%20from%20the%20third%20party%20API.%26nbsp%3B%20But%20then%20it%20fails%20to%20send%20it%20to%20log%20analytics%20with%20these%20errors.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETAP%3A%3C%2FP%3E%3CP%3EExpressionEvaluationFailed.%26nbsp%3BThe%20execution%20of%20template%20action%20'For_each'%20failed%3A%20the%20result%20of%20the%20evaluation%20of%20'foreach'%20expression%20'%40body('HTTP')'%20is%20of%20type%20'String'.%20The%20result%20must%20be%20a%20valid%20array.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EAMP%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EExpressionEvaluationFailed%3C%2FSTRONG%3E.%26nbsp%3BThe%20execution%20of%20template%20action%20'For_each'%20failed%3A%20the%20result%20of%20the%20evaluation%20of%20'foreach'%20expression%20'%40body('HTTP')'%20is%20of%20type%20'Object'.%20The%20result%20must%20be%20a%20valid%20array.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EBoth%20of%20them%20use%20the%20HTTP%20connector%26nbsp%3Bto%20get%20the%20data.%26nbsp%3B%20Is%20there%20another%20step%20I%20need%20to%20do%20in%20between%20to%20get%20the%20data%20ready%20to%20import%20into%20log%20analytics%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-565001%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20to%20analytics%20data%20collector%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-565001%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306179%22%20target%3D%22_blank%22%3E%40andrew_bryant%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%3A%20Is%20this%20something%20you%20can%20help%20with%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F89690%22%20target%3D%22_blank%22%3E%40Chris%20Boehm%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-565018%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20to%20analytics%20data%20collector%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-565018%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293935%22%20target%3D%22_blank%22%3E%40Valon_Kolica%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOfer%20and%20I%20discussed%20offline.%26nbsp%3B%20The%20solution%20is%20detailed%20here%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Identity%2FSending-REST-API-data-to-Azure-Sentinel%2Fm-p%2F558896%23M452%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Identity%2FSending-REST-API-data-to-Azure-Sentinel%2Fm-p%2F558896%23M452%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOne%20thing%20I%20would%20note%2C%20for%20the%20Proofpoint%20playbook%2C%20even%20after%20adding%20the%20step%20to%20parse%20the%20JSON%20I%20would%20get%20errors%20like%26nbsp%3B%E2%80%9Cexpected%20integer%20but%20got%20a%20number%E2%80%9D%20or%20%E2%80%9Cexpected%20string%20and%20got%20null.%E2%80%9D%20The%20fix%20was%20to%20go%20back%20into%20the%20schema%20in%20the%20step%20and%20find%20places%20where%20the%20value%20was%20integer%20and%20set%20it%20to%20allow%20an%20integeor%20or%20a%20number.%26nbsp%3B%20Same%20thing%20for%20string%2C%20allow%20string%20or%20null.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-565033%22%20slang%3D%22en-US%22%3ERe%3A%20Send%20to%20analytics%20data%20collector%20errors%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-565033%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306179%22%20target%3D%22_blank%22%3E%40andrew_bryant%3C%2FA%3E%3A%20Thank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E
andrew_bryant
Contributor

I have two playbooks that collect logs in JSON format from a 3rd party API (Proofpoint TAP and Cisco AMP for endpoints).  When I run the playbooks I can see that each one gets data from the third party API.  But then it fails to send it to log analytics with these errors.

 

TAP:

ExpressionEvaluationFailed. The execution of template action 'For_each' failed: the result of the evaluation of 'foreach' expression '@body('HTTP')' is of type 'String'. The result must be a valid array.

 

AMP:

ExpressionEvaluationFailed. The execution of template action 'For_each' failed: the result of the evaluation of 'foreach' expression '@body('HTTP')' is of type 'Object'. The result must be a valid array.

 

Both of them use the HTTP connector to get the data.  Is there another step I need to do in between to get the data ready to import into log analytics?

3 Replies

@andrew_bryant 

 

@Ofer_Shezaf: Is this something you can help with? 

@Chris Boehm 

Solution

@Valon_Kolica 

 

Ofer and I discussed offline.  The solution is detailed here:

https://techcommunity.microsoft.com/t5/Security-Identity/Sending-REST-API-data-to-Azure-Sentinel/m-p...

 

One thing I would note, for the Proofpoint playbook, even after adding the step to parse the JSON I would get errors like “expected integer but got a number” or “expected string and got null.” The fix was to go back into the schema in the step and find places where the value was integer and set it to allow an integeor or a number.  Same thing for string, allow string or null.

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies