Hello,
I created a query in the advanced hunting interface from security.microsoft.com.
It accesses the tables DeviceInfo and IdentityInfo and gets out the eMail of the last logged in User.
Now I wanted to create a script to load this data in a nightly job in a database like I already do with other data from the API.
But querying the IdentityInfo fails, because the table is not visible via the advancedqueries-API !
I boiled it down to just query the table (target is redacted by me) :
Query = 'IdentityInfo ' gives:
https://api.securitycenter.microsoft.com:443 "POST /api/advancedqueries/run HTTP/1.1" 400 213
{"error":{"code":"BadRequest","message":"\'\' operator: Failed to resolve table or column or scalar expression named \'IdentityInfo\'. Fix semantic errors in your query","target":"xxxxxxxxxx"}}'
I thought the advanced-queries API should support all the Hunting queries.
Even here the table IdentityInfo is regarded as an example :
Best practices for leveraging Microsoft 365 Defender API's - Episode One - Microsoft Tech Community
