Jul 17 2018 04:37 AM
Hi,
I am building a solution where I need the alerts that are published in the Intelligent Security Graph. Since there is no mechanism to push alerts to my solution, I am pulling the alerts out with an interval.
To pull the alerts out of the ISG, I have designed the following procedure:
I have the following question:
When I try to enable the tag 'processed' to the ISG alert, I get a lot of errors that fields are missing (for example: status, eventDateTime etc.) I am using the following HTTP body:
{
"eventDateTime": "2018-07-17T10:14:00.4097161Z",
"status": "newAlert",
"tags": [
"Processed"
]
}
When executing a HTTP request with the above body, I am getting the following error:
{
"error": {
"code": "",
"message": "An error has occurred.",
"innerError": {
"message": "Required property 'type' not found in JSON. Path '', line 1, position 89.",
"request-id": "6dd705f5-9eb2-4bf0-9ab7-1bae9395aa54",
"date": "2018-07-17T11:32:10"
}
}
The property "type" is not defined in the documents: https://developer.microsoft.com/en-us/graph/docs/concepts/query_parameters#filter-parameter. Can someone tell me what the property "type" is or share a HTTP body that succesfully applies a tag to an alert?
Thanks in advance!
Jul 23 2018 03:39 PM
Hi Jeroen,
Sorry to hear about the problems you are running into. It seems you are trying to find the alert status and update that. This is available via the status property in the alert schema – details with enum values (newAlert, in Progress, resolved, etc.) are documented @ https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/alert . You can get different status values and we plan to enable update / PATCH scenario this Fall.
We do not recommend using tags for status update of alerts. Moreover, tags are an array hence the filter query syntax "$filter=tag" needs to be corrected to cater to ODATA support for filtering array types.
Thanks, for sharing the error message you are seeing (upon executing the HTTP request) – The error message expected here is a 400 / bad request for unsupported behavior. We are fixing this error message to return a 400 and this should be there in the next day or so.
Thanks, for your feedback.
Preeti
Jul 26 2018 04:53 AM - edited Jul 26 2018 04:54 AM
Hi Preeti,
Thanks for your answer. As far as I understand, the "status" property is not a writable property; and even if it was a writable property, I rather prefer to have it updated by the source system (e.g. Security Center, ATP etc.)
I am currently looking for a mechanism to do a "diff" of the alerts that are in my system, and the alerts that the Intelligent Security Graph is providing us. I want to import the alerts that are not in my system, but are in the ISG. Applying a tag once an alert has been imported gives me the possibility to filter on new alerts that not have been imported yet.
I hope this will give you more context why I would use tags.
Thanks,
Jeroen