Filtering Security Graph API in power automate

%3CLINGO-SUB%20id%3D%22lingo-sub-1230006%22%20slang%3D%22en-US%22%3EFiltering%20Security%20Graph%20API%20in%20power%20automate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230006%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20using%20the%26nbsp%3BMicrosoft%20Graph%20Security%20connector%20to%20get%20alerts%20in%20Power%20Automate.%26nbsp%3B%20I%20am%20trying%20to%20filter%20the%20results%20to%20just%20MCAS%20alerts%20however%20there%20doesn't%20appear%20to%20be%20a%20field%20that%20just%20has%20MCAS%20that%20I%20can%20filter%20on.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20first%20tried%20filtering%20on%20%22category%22%20field%20which%20starts%20with%20MCAS%20and%20then%20the%20%22vendorInformation%22%20field%20that%20has%20a%20sub%20field%20called%20%22provider%22%20field%20that%20has%20MCAS%20however%20these%20don't%20work%20when%20using%20the%20eq%20operator.%26nbsp%3B%20Is%20there%20a%20%22like%22%20or%20%22contains%22%20option%3F%3F%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20there%20are%20no%20%22like%22%20or%20%22contains%22%20style%20options%20any%20suggestions%20on%20how%20to%20achieve%20the%20desired%20outcome%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22category%22%3A%20%22MCAS_ALERT_ANUBIS_DETECTION_VELOCITY%22%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22vendorInformation%22%3A%20%7B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%22provider%22%3A%20%22MCAS%22%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22id%22%3A%20%22XXXXXX%22%2C%3CBR%20%2F%3E%22azureTenantId%22%3A%20%22XXXXX%22%2C%3CBR%20%2F%3E%22azureSubscriptionId%22%3A%20null%2C%3CBR%20%2F%3E%22riskScore%22%3A%20null%2C%3CBR%20%2F%3E%22tags%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22activityGroupName%22%3A%20null%2C%3CBR%20%2F%3E%22assignedTo%22%3A%20null%2C%3CBR%20%2F%3E%22category%22%3A%20%22MCAS_ALERT_ANUBIS_DETECTION_VELOCITY%22%2C%3CBR%20%2F%3E%22closedDateTime%22%3A%20null%2C%3CBR%20%2F%3E%22comments%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22confidence%22%3A%20null%2C%3CBR%20%2F%3E%22createdDateTime%22%3A%20%222020-03-15T00%3A02%3A08.093Z%22%2C%3CBR%20%2F%3E%22description%22%3A%20%22The%20user%20XXXX%20XXXX%20(XXXX.XXXX%40XXXX.com.au)%20perform%20failed%20sign%20in%20activities%20from%20remote%20locations%20that%20are%20considered%20an%20impossible%20travel%20activity.%20The%20user%20performed%20failed%20sign%20in%20activities%20from%202001%3A8004%3Ac81%3Ad661%3Ad894%3A8a4e%3A6434%3A6fa2%20in%20Australia%20and%20183.89.211.22%20in%20Thailand%20within%20140%20minutes.%22%2C%3CBR%20%2F%3E%22detectionIds%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22eventDateTime%22%3A%20%222020-03-14T21%3A36%3A35Z%22%2C%3CBR%20%2F%3E%22feedback%22%3A%20null%2C%3CBR%20%2F%3E%22lastModifiedDateTime%22%3A%20%222020-03-15T00%3A02%3A08.6554137Z%22%2C%3CBR%20%2F%3E%22recommendedActions%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22severity%22%3A%20%22medium%22%2C%3CBR%20%2F%3E%22sourceMaterials%22%3A%20%5B%3CBR%20%2F%3E%22%3CA%20href%3D%22https%3A%2F%2FXXXX.portal.cloudappsecurity.com%2F%23%2Fpolicy%2F%3Fid%3Deq(XXXX%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FXXXX.portal.cloudappsecurity.com%2F%23%2Fpolicy%2F%3Fid%3Deq(XXXX%3C%2FA%3E)%22%2C%3CBR%20%2F%3E%22%3CA%20href%3D%22https%3A%2F%2FXXXX.portal.cloudappsecurity.com%2F%23%2Falerts%2FXXXX%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2FXXXX.portal.cloudappsecurity.com%2F%23%2Falerts%2FXXXX%3C%2FA%3E%22%3CBR%20%2F%3E%5D%2C%3CBR%20%2F%3E%22status%22%3A%20%22unknown%22%2C%3CBR%20%2F%3E%22title%22%3A%20%22Impossible%20travel%20activity%22%2C%3CBR%20%2F%3E%22vendorInformation%22%3A%20%7B%3CBR%20%2F%3E%22provider%22%3A%20%22MCAS%22%2C%3CBR%20%2F%3E%22providerVersion%22%3A%20null%2C%3CBR%20%2F%3E%22subProvider%22%3A%20null%2C%3CBR%20%2F%3E%22vendor%22%3A%20%22Microsoft%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22cloudAppStates%22%3A%20%5B%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22destinationServiceIp%22%3A%20null%2C%3CBR%20%2F%3E%22destinationServiceName%22%3A%20%22Microsoft%20Exchange%20Online%22%2C%3CBR%20%2F%3E%22riskScore%22%3A%20null%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22destinationServiceIp%22%3A%20null%2C%3CBR%20%2F%3E%22destinationServiceName%22%3A%20%22Office%20365%22%2C%3CBR%20%2F%3E%22riskScore%22%3A%20null%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%2C%3CBR%20%2F%3E%22fileStates%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22hostStates%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22historyStates%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22malwareStates%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22networkConnections%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22processes%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22registryKeyStates%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22triggers%22%3A%20%5B%5D%2C%3CBR%20%2F%3E%22userStates%22%3A%20%5B%3CBR%20%2F%3E%7B%3CBR%20%2F%3E%22aadUserId%22%3A%20%22XXXX%22%2C%3CBR%20%2F%3E%22accountName%22%3A%20%22XXXX.XXXX%22%2C%3CBR%20%2F%3E%22domainName%22%3A%20%22XXXX.com.au%22%2C%3CBR%20%2F%3E%22emailRole%22%3A%20%22unknown%22%2C%3CBR%20%2F%3E%22isVpn%22%3A%20null%2C%3CBR%20%2F%3E%22logonDateTime%22%3A%20null%2C%3CBR%20%2F%3E%22logonId%22%3A%20null%2C%3CBR%20%2F%3E%22logonIp%22%3A%20null%2C%3CBR%20%2F%3E%22logonLocation%22%3A%20null%2C%3CBR%20%2F%3E%22logonType%22%3A%20null%2C%3CBR%20%2F%3E%22onPremisesSecurityIdentifier%22%3A%20null%2C%3CBR%20%2F%3E%22riskScore%22%3A%20null%2C%3CBR%20%2F%3E%22userAccountType%22%3A%20null%2C%3CBR%20%2F%3E%22userPrincipalName%22%3A%20%22XXXX.XXXX%40XXXX.com.au%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%5D%2C%3CBR%20%2F%3E%22vulnerabilityStates%22%3A%20%5B%5D%3CBR%20%2F%3E%7D%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1230006%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Flow%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerApps%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1303256%22%20slang%3D%22en-US%22%3ERe%3A%20Filtering%20Security%20Graph%20API%20in%20power%20automate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1303256%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F393307%22%20target%3D%22_blank%22%3E%40lfkentwell%3C%2FA%3E%26nbsp%3B%20You%20can%20use%20StartsWith%20like%20this%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%3F%24filter%3Dstartswith(category%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%3F%24filter%3Dstartswith(category%3C%2FA%3E%2C%20'MCAS')%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

I am using the Microsoft Graph Security connector to get alerts in Power Automate.  I am trying to filter the results to just MCAS alerts however there doesn't appear to be a field that just has MCAS that I can filter on.

 

I first tried filtering on "category" field which starts with MCAS and then the "vendorInformation" field that has a sub field called "provider" field that has MCAS however these don't work when using the eq operator.  Is there a "like" or "contains" option??? 

 

If there are no "like" or "contains" style options any suggestions on how to achieve the desired outcome?

 

"category": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY",

 

"vendorInformation": {
     "provider": "MCAS",

 

 

 

{
"id": "XXXXXX",
"azureTenantId": "XXXXX",
"azureSubscriptionId": null,
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2020-03-15T00:02:08.093Z",
"description": "The user XXXX XXXX (XXXX.XXXX@XXXX.com.au) perform failed sign in activities from remote locations that are considered an impossible travel activity. The user performed failed sign in activities from 2001:8004:c81:d661:d894:8a4e:6434:6fa2 in Australia and 183.89.211.22 in Thailand within 140 minutes.",
"detectionIds": [],
"eventDateTime": "2020-03-14T21:36:35Z",
"feedback": null,
"lastModifiedDateTime": "2020-03-15T00:02:08.6554137Z",
"recommendedActions": [],
"severity": "medium",
"sourceMaterials": [
"https://XXXX.portal.cloudappsecurity.com/#/policy/?id=eq(XXXX)",
"https://XXXX.portal.cloudappsecurity.com/#/alerts/XXXX"
],
"status": "unknown",
"title": "Impossible travel activity",
"vendorInformation": {
"provider": "MCAS",
"providerVersion": null,
"subProvider": null,
"vendor": "Microsoft"
},
"cloudAppStates": [
{
"destinationServiceIp": null,
"destinationServiceName": "Microsoft Exchange Online",
"riskScore": null
},
{
"destinationServiceIp": null,
"destinationServiceName": "Office 365",
"riskScore": null
}
],
"fileStates": [],
"hostStates": [],
"historyStates": [],
"malwareStates": [],
"networkConnections": [],
"processes": [],
"registryKeyStates": [],
"triggers": [],
"userStates": [
{
"aadUserId": "XXXX",
"accountName": "XXXX.XXXX",
"domainName": "XXXX.com.au",
"emailRole": "unknown",
"isVpn": null,
"logonDateTime": null,
"logonId": null,
"logonIp": null,
"logonLocation": null,
"logonType": null,
"onPremisesSecurityIdentifier": null,
"riskScore": null,
"userAccountType": null,
"userPrincipalName": "XXXX.XXXX@XXXX.com.au"
}
],
"vulnerabilityStates": []
},

1 Reply