IdentityInfo not available via /api/advancedqueries

%3CLINGO-SUB%20id%3D%22lingo-sub-2589898%22%20slang%3D%22en-US%22%3EIdentityInfo%20not%20available%20via%20%2Fapi%2Fadvancedqueries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2589898%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20created%20a%20query%20in%20the%20advanced%20hunting%20interface%20from%20security.microsoft.com.%3C%2FP%3E%3CP%3EIt%20accesses%20the%20tables%20DeviceInfo%20and%20IdentityInfo%20and%20gets%20out%20the%20eMail%20of%20the%20last%20logged%20in%20User.%3C%2FP%3E%3CP%3ENow%20I%20wanted%20to%20create%20a%20script%20to%20load%20this%20data%20in%20a%20nightly%20job%20in%20a%20database%20like%20I%20already%20do%20with%20other%20data%20from%20the%20API.%3C%2FP%3E%3CP%3EBut%20querying%20the%20IdentityInfo%20fails%2C%20because%20the%20table%20is%20not%20visible%20via%20the%20advancedqueries-API%20!%3C%2FP%3E%3CP%3EI%20boiled%20it%20down%20to%20just%20query%20the%20table%20(target%20is%20redacted%20by%20me)%20%3A%3C%2FP%3E%3CP%3EQuery%20%3D%26nbsp%3B%20'IdentityInfo%20'%20gives%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fapi.securitycenter.microsoft.com%3A443%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fapi.securitycenter.microsoft.com%3A443%3C%2FA%3E%20%22POST%20%2Fapi%2Fadvancedqueries%2Frun%20HTTP%2F1.1%22%20400%20213%3C%2FP%3E%3CP%3E%7B%22error%22%3A%7B%22code%22%3A%22BadRequest%22%2C%22message%22%3A%22%5C'%5C'%20operator%3A%20Failed%20to%20resolve%20table%20or%20column%20or%20scalar%20expression%20named%20%5C'IdentityInfo%5C'.%20Fix%20semantic%20errors%20in%20your%20query%22%2C%22target%22%3A%22xxxxxxxxxx%22%7D%7D'%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20the%20advanced-queries%20API%20should%20support%20all%20the%20Hunting%20queries.%3C%2FP%3E%3CP%3EEven%20here%20the%20table%20IdentityInfo%20is%20regarded%20as%20an%20example%20%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-365-defender%2Fbest-practices-for-leveraging-microsoft-365-defender-api-s%2Fba-p%2F2102893%22%20target%3D%22_blank%22%3EBest%20practices%20for%20leveraging%20Microsoft%20365%20Defender%20API's%20-%20Episode%20One%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

I created a query in the advanced hunting interface from security.microsoft.com.

It accesses the tables DeviceInfo and IdentityInfo and gets out the eMail of the last logged in User.

Now I wanted to create a script to load this data in a nightly job in a database like I already do with other data from the API.

But querying the IdentityInfo fails, because the table is not visible via the advancedqueries-API !

I boiled it down to just query the table (target is redacted by me) :

Query =  'IdentityInfo ' gives: 

https://api.securitycenter.microsoft.com:443 "POST /api/advancedqueries/run HTTP/1.1" 400 213

{"error":{"code":"BadRequest","message":"\'\' operator: Failed to resolve table or column or scalar expression named \'IdentityInfo\'. Fix semantic errors in your query","target":"xxxxxxxxxx"}}'

 

I thought the advanced-queries API should support all the Hunting queries.

Even here the table IdentityInfo is regarded as an example :

Best practices for leveraging Microsoft 365 Defender API's - Episode One - Microsoft Tech Community

 

0 Replies