cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Update ISG alerts

Jeroen Niesen
Copper Contributor

‎Jul 17 2018 04:37 AM

‎Jul 17 2018 04:37 AM

Update ISG alerts

Hi,

 

I am building a solution where I need the alerts that are published in the Intelligent Security Graph. Since there is no mechanism to push alerts to my solution, I am pulling the alerts out with an interval. 

 

To pull the alerts out of the ISG, I have designed the following procedure:

  1. Get alerts from the ISG that don't have the tag "processed" applied. I'll do that by using the following URI: https://graph.microsoft.com/beta/security/alerts?$filter=tag ne 'processed'
  2. Import the alerts into a SQL database
  3. Apply the tag "processed" to the ISG Alert

I have the following question:

When I try to enable the tag 'processed' to the ISG alert, I get a lot of errors that fields are missing (for example: status, eventDateTime etc.) I am using the following HTTP body:

 

{
  "eventDateTime""2018-07-17T10:14:00.4097161Z",
  "status""newAlert",
  "tags": [
    "Processed"
  ]
}

When executing a HTTP request with the above body, I am getting the following error:

{
  "error": {
    "code""",
    "message""An error has occurred.",
    "innerError": {
      "message""Required property 'type' not found in JSON. Path '', line 1, position 89.",
      "request-id""6dd705f5-9eb2-4bf0-9ab7-1bae9395aa54",
      "date""2018-07-17T11:32:10"
    }
  }

The property "type" is not defined in the documents: https://developer.microsoft.com/en-us/graph/docs/concepts/query_parameters#filter-parameter. Can someone tell me what the property "type" is or share a HTTP body that succesfully applies a tag to an alert?

 

Thanks in advance!

836 Views
0 Likes
2 Replies
Reply
2 Replies
Preeti_Krishna

‎Jul 23 2018 03:39 PM

‎Jul 23 2018 03:39 PM

Re: Update ISG alerts

Hi Jeroen,

 

Sorry to hear about the problems you are running into. It seems you are trying to find the alert status and update that. This is available via the status property in the alert schema – details with enum values (newAlert, in Progress, resolved, etc.) are documented @ https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/alert . You can get different status values and we plan to enable update / PATCH scenario this Fall.

We do not recommend using tags for status update of alerts. Moreover, tags are an array hence the filter query syntax "$filter=tag" needs to be corrected to cater to ODATA support for filtering array types.

Thanks, for sharing the error message you are seeing (upon executing the HTTP request) – The error message expected here is a 400 / bad request for unsupported behavior. We are fixing this error message to return a 400 and this should be there in the next day or so.

 

Thanks, for your feedback.

Preeti

0 Likes
Reply
Jeroen Niesen

‎Jul 26 2018 04:53 AM - edited ‎Jul 26 2018 04:54 AM

‎Jul 26 2018 04:53 AM - edited ‎Jul 26 2018 04:54 AM

Re: Update ISG alerts

Hi Preeti,

 

Thanks for your answer. As far as I understand, the "status" property is not a writable property; and even if it was a writable property, I rather prefer to have it updated by the source system (e.g. Security Center, ATP etc.)

 

I am currently looking for a mechanism to do a "diff" of the alerts that are in my system, and the alerts that the Intelligent Security Graph is providing us. I want to import the alerts that are not in my system, but are in the ISG. Applying a tag once an alert has been imported gives me the possibility to filter on new alerts that not have been imported yet. 

 

I hope this will give you more context why I would use tags.

 

Thanks,

Jeroen

 

0 Likes
Reply