Filtering Security Graph API in power automate

Contributor

I am using the Microsoft Graph Security connector to get alerts in Power Automate.  I am trying to filter the results to just MCAS alerts however there doesn't appear to be a field that just has MCAS that I can filter on.

 

I first tried filtering on "category" field which starts with MCAS and then the "vendorInformation" field that has a sub field called "provider" field that has MCAS however these don't work when using the eq operator.  Is there a "like" or "contains" option??? 

 

If there are no "like" or "contains" style options any suggestions on how to achieve the desired outcome?

 

"category": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY",

 

"vendorInformation": {
     "provider": "MCAS",

 

 

 

{
"id": "XXXXXX",
"azureTenantId": "XXXXX",
"azureSubscriptionId": null,
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "MCAS_ALERT_ANUBIS_DETECTION_VELOCITY",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2020-03-15T00:02:08.093Z",
"description": "The user XXXX XXXX (XXXX.XXXX@XXXX.com.au) perform failed sign in activities from remote locations that are considered an impossible travel activity. The user performed failed sign in activities from 2001:8004:c81:d661:d894:8a4e:6434:6fa2 in Australia and 183.89.211.22 in Thailand within 140 minutes.",
"detectionIds": [],
"eventDateTime": "2020-03-14T21:36:35Z",
"feedback": null,
"lastModifiedDateTime": "2020-03-15T00:02:08.6554137Z",
"recommendedActions": [],
"severity": "medium",
"sourceMaterials": [
"https://XXXX.portal.cloudappsecurity.com/#/policy/?id=eq(XXXX)",
"https://XXXX.portal.cloudappsecurity.com/#/alerts/XXXX"
],
"status": "unknown",
"title": "Impossible travel activity",
"vendorInformation": {
"provider": "MCAS",
"providerVersion": null,
"subProvider": null,
"vendor": "Microsoft"
},
"cloudAppStates": [
{
"destinationServiceIp": null,
"destinationServiceName": "Microsoft Exchange Online",
"riskScore": null
},
{
"destinationServiceIp": null,
"destinationServiceName": "Office 365",
"riskScore": null
}
],
"fileStates": [],
"hostStates": [],
"historyStates": [],
"malwareStates": [],
"networkConnections": [],
"processes": [],
"registryKeyStates": [],
"triggers": [],
"userStates": [
{
"aadUserId": "XXXX",
"accountName": "XXXX.XXXX",
"domainName": "XXXX.com.au",
"emailRole": "unknown",
"isVpn": null,
"logonDateTime": null,
"logonId": null,
"logonIp": null,
"logonLocation": null,
"logonType": null,
"onPremisesSecurityIdentifier": null,
"riskScore": null,
"userAccountType": null,
"userPrincipalName": "XXXX.XXXX@XXXX.com.au"
}
],
"vulnerabilityStates": []
},

1 Reply