Jan 18 2022 04:06 PM
I have an automated script which has been working well for a number of months. During December I started getting intermittent failures, which I ignored, but now they have become persistent. The problem is occurring for any queries of the DeviceTvmSoftwareVulnerabilities table. Even a simple one. The query I am submitting through the API work fine in the Advanced Hunting section of the Microsoft 365 Defender Portal.
Here is the code:
$Body = [Ordered] @{
resource = "https://api.securitycenter.microsoft.com"
client_id = "$AppId"
client_secret = "$AppSecret"
grant_type = 'client_credentials'
}
$Response = Invoke-RestMethod -Method Post -Uri $OauthUri -Body $Body -ErrorAction Stop
$AadToken = $response.access_token
$Url = "https://api.securitycenter.microsoft.com/api/advancedqueries/run"
$Headers = @{
'Content-Type' = 'application/json'
Accept = 'application/json'
Authorization = "Bearer $AadToken"
}
$Query = "DeviceTvmSoftwareVulnerabilities | take 1"
$Body = ConvertTo-Json -InputObject @{ 'Query' = $Query}
$WebResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop -UseBasicParsing
The returned result is:
API call returned an error: {"error":{"code":"BadRequest","message":"'project' operator: Failed to resolve scalar expression named 'RecommendedSecurityUpdate'. Fi
x semantic errors in your query","target":"7c97d065-2c2a-4a55-8d63-068d2855813b"}}
Which is strange, because 'RecommendedSecurityUpdate' is the name of one of the returned columns. If I run the exact same code with the query 'DeviceTvmSoftwareInventory | take 1' it works fine.
Has something changed? Is this an issue in the platform like it seems to be? If so, how do I get support?
Jan 24 2022 08:48 PM
I am having the exact same issue with the API call using DeviceTvmSoftwareVulnerabilities
I have a number of PowerBI report which are now failing with a (400): Bad Request DataSource.Error: Web.Contents failed to get contents from 'https://api.securitycenter.microsoft.com/api/advancedqueries.
The report had been working fine since they were created about 6 months ago and started failing late December.
I have recreated the Query with a very basic lookup but anything from DeviceTvmSoftwareVulnerabilities fails. All other queries to any other Schema works fine and using the DeviceTvmSoftwareVulnerabilities schema direct from Advanced Hunting works fine so something must have changed with the API.
Jan 24 2022 11:06 PM
Jan 26 2022 02:51 PM
Jan 26 2022 04:36 PM
I can confirm this is fixed on my end now as well. So I suspect it was an issue on their end that they have resolved.