Utilizing Graph API to do Planner/Groups stuff without being in Group
Hello, I am looking to use a global administrator account to do a lot of stuff, but one of those things is to generate planner tasks. The code works, but it will only work if the account is a member of the group. Is there a way to not do this? Should I add/remove the user via code every time I do it? What is the latency there?
Defender API question... EmailEvents Table, IdentityInfo table?
Defender API Question.... Is there a way to query the EmailEvents table through an api? Or the Identityinfo table? I'm currently testing through - api-us.securitycenter.microsoft.com and playing around with the available tables to query, there doesn't seem to be much other than the Device* tables. Also, I've got the Microsoft api reference links from here, https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exposed-apis-list?view=o365-worldwide. And I'm going through the Azure Sentinel Notebooks and the msticpy notebooks, but I'd appreciate any videos or blogs about exploring the tables and data through the api and jupyter notebooks. This is really super cool!How to use multiple filter operations in beta Graph API?
I am trying to run the following API: https://graph.microsoft.com/beta/users?$count=true&$filter=signInActivity/lastSignInDateTime le 2022-09-01T00:00:00Z and endsWith(mail,'@alumni.xxx.xxx') and I get the following response: { "error": { "code": "BadRequest", "message": "Filter not supported.", "innerError": { "date": "2022-12-22T19:21:39", "request-id": "d994b51c-xxxx-xxxx-b0d5-97a8923ab5t9", "client-request-id": "d302b51c-xxxx-yyyy-zzzz-12a8035ce9r9" } } } Any idea as to what I'm doing wrong? Thx
403 Forbidden error when using create team Graph API
Hi, I have been using the create team API, it was working fine couple days back, there was no change in permissions or even in the code. Since 2 days we are facing 403 forbidden error. URL: https://graph.microsoft.com/v1.0/teams with request payload as mentioned below: { "email address removed for privacy reasons": "https://graph.microsoft.com/v1.0/teamsTemplates('standard')", "displayName": "Architecture test Team", "description": "The team for those in architecture design." } I have provided the required permissions for both application as well as delegated. Please find screenshot of the same The response is: { "error": { "code": "Forbidden", "message": "Failed to execute Templates backend request CreateTeamFromTemplateRequest. Request Url: https://teams.microsoft.com/fabric/apac/templates/api/team, Request Method: POST, Response Status Code: Forbidden, Response Headers: Strict-Transport-Security: max-age=2592000x-operationid: e0e36994bd8341ce936b7ef080a64f52x-telemetryid: 00-e0e36994bd8341ce936b7ef080a64f52-49c1a1267b1789f1-01X-MSEdge-Ref: Ref A: 21AF592ACFD244CA86C67D5750C3F243 Ref B: TYO01EDGE2718 Ref C: 2023-07-19T20:16:46ZDate: Wed, 19 Jul 2023 20:16:46 GMT, ErrorMessage : {\"errors\":[{\"message\":\"Error when calling Middle Tier. Message: ''. Error code: 'GetApplicableSkuCategoriesForUserFailed'. Status code: Forbidden.\",\"errorCode\":\"Unknown\"}],\"operationId\":\"e0e36994bd8341ce936b7ef080a64f52\"}", "innerError": { "message": "Failed to execute Templates backend request CreateTeamFromTemplateRequest. Request Url: https://teams.microsoft.com/fabric/apac/templates/api/team, Request Method: POST, Response Status Code: Forbidden, Response Headers: Strict-Transport-Security: max-age=2592000x-operationid: e0e36994bd8341ce936b7ef080a64f52x-telemetryid: 00-e0e36994bd8341ce936b7ef080a64f52-49c1a1267b1789f1-01X-MSEdge-Ref: Ref A: 21AF592ACFD244CA86C67D5750C3F243 Ref B: TYO01EDGE2718 Ref C: 2023-07-19T20:16:46ZDate: Wed, 19 Jul 2023 20:16:46 GMT, ErrorMessage : {\"errors\":[{\"message\":\"Error when calling Middle Tier. Message: ''. Error code: 'GetApplicableSkuCategoriesForUserFailed'. Status code: Forbidden.\",\"errorCode\":\"Unknown\"}],\"operationId\":\"e0e36994bd8341ce936b7ef080a64f52\"}", "code": "AccessDenied", "innerError": {}, "date": "2023-07-19T20:16:46", "request-id": "e0e36994-bd83-41ce-936b-7ef080a64f52", "client-request-id": "4aa73188-19d4-9382-2235-0530552047ec" } } } Any help in this regard is appriciated. Thank you.
microsoftgraph / security-api-solutions for MISP giving access_token error
Hi all, I am trying to integrate MISP feeds to Sentinel and followed the steps as per the documentation - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/integrating-open-source-threat-feeds-with-misp-and-sentinel/ba-p/1350371 https://github.com/microsoftgraph/security-api-solutions/tree/master/Samples/MISP I am stuck at the last step where we have to run the script.py in order to push the feeds to sentinel. I am getting the error of access_token Traceback (most recent call last): File "script.py", line 100, in <module> main() File "script.py", line 93, in main with RequestManager(total_indicators) as request_manager: File "/home/srvadmin/mispToSentinel/security-api-solutions/Samples/MISP/RequestManager.py", line 42, in __enter__ access_token = self._get_access_token( File "/home/srvadmin/mispToSentinel/security-api-solutions/Samples/MISP/RequestManager.py", line 70, in _get_access_token access_token = requests.post( KeyError: 'access_token' I am unable to identify where the script is failing and how to rectify it.Auditing / Configuring Defender Alerts/Rules/Emails/Notifications
Hey there! I am trying to find a way to audit (and hopefully configure!) the Defender notification emails to make sure they are configured to send to our helpdesk, so it can start our ticketing process. Short of creating a custom application, and trying to subscribe or poll manually across every tenant, the best I have found so far is manually opening these for every separate customer to try and setup the settings So starting from https://security.microsoft.com/ for each customer, going to Settings, and following the mentioned path, or navigating to the URL on the right in turn with each customer tenantID filled in Incident Notifs M365 Defender > Email Notifs > Incidents https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleType=incidents&tid=<EachCustomerTenantID> Actions M365 Defender > Email Notifs > Actions https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleType=actions&tid=<EachCustomerTenantID> Threat Analytics M365 Defender > Email Notifs > Threat Analytics https://security.microsoft.com/securitysettings/defender/email_notifications?emailNotificationRuleType=threat_analytics&tid=<EachCustomerTenantID> Alert Tuning/Suppression M365 Defender > Alert Tuning https://security.microsoft.com/securitysettings/defender/alert_suppression?tid=<EachCustomerTenantID> Endpoint Alerts Endpoints > Email Notifications > Alerts https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=alerts&tid=<EachCustomerTenantID> Endpoint Vulnerabilities Endpoints > Email Notifications > Vulnerabilities https://security.microsoft.com/securitysettings/endpoints/email_notifications?childviewid=vulnerabilities&tid=<EachCustomerTenantID> Identity Health Notifs Microsoft Defender for Identity > Health Issues https://security.microsoft.com/settings/identities?tabid=healthIssuesNotifications&tid=<EachCustomerTenantID> Identity Alerts Microsoft Defender for Identity > Alert https://security.microsoft.com/settings/identities?tabid=securityAlertsNotifications&tid=<EachCustomerTenantID> I can easily get Incidents or Alerts for a specific tenant, even across tenants through DAP/GDAP/CSP rights. However - rather than querying hundreds of tenants, or trying to set up WebHook subscriptions or similar for them - I was going to just start with Auditing (and possibly manually configuring) the Notification Emails and Alerts to send an email to our ticketing system that we could follow up on. However, I can't find any PowerShell commands or API where I can access these notification settings (access the actual ALERTS themselves, no problem, but not audit the actual Notification Configuration on more than an individual Alert/Incident level) The backend of security.microsoft.com uses private API endpoints like https://security.microsoft.com/apiproxy/mtp/k8s/settings/ThreatAnalyticNotificationsSettings or https://security.microsoft.com/apiproxy/mtp/k8s/cloud/public/internal/IncidentNotificationSettingsV2 as an example for Incident Notifications. The list above is the URLs that you access as the Administrator to configure these by hand, but I am hoping to find a way to get API/Programmatic/Scripted access to these values - but I cannot find any (public) API that seems to access them other than manually. Does anyone have an idea?
Get list of all tiIndicators using Graph API
Hello Community, I have a Sentinel system with about 30K of TI indicators, that were ingested from Alien Vault using this playbook: Azure-Sentinel/Playbooks/Get-AlienVault_OTX at master ยท Azure/Azure-Sentinel (github.com). Now I would like to get a list of all indicators using Graph API. I tried to do it using Graph Explorer with the following query: GET https://graph.microsoft.com/beta/security/tiIndicators And I got the following response: After that, I tried to add a new indicator using Graph API: POST https://graph.microsoft.com/beta/security/tiIndicators and a request body from this example: Create threat intelligence indicator - Microsoft Graph beta | Microsoft Docs Then I did the first step of getting the list of existing indicators and I did see the indicator that was added manually. I went to Sentinel TI to check whether I see this manually added indicator or not there and I did see it. So my question is the following: Has anyone tried GraphAPI for TI indicators? What am I missing? Why don't I see all my indicators? It is in beta now, but It seems weird that the GET request shows nothing.Topic search not working in People API
For the past 1 month, the topic search is not working in the People API. When a topic is added and the query is provided, an error message is shown below. I have tried it multiple user accounts, multiple topics and as well as with different tenants as well but the issue seems to persist. Here is the API query provided and the error response: https://graph.microsoft.com/v1.0/me/people/?$search="topic: microsoft" { "error": { "code": "ErrorInternalServerError", "message": "An internal server error occurred. The operation failed.", "innerError": { "request-id": "21856e34-e8b5-4caa-afa7-d0c596555c59", "date": "2019-05-05T10:01:55" } } }
Graph API for Microsoft Secure Score Recommended actions
Hello, We were able to get Secure Score and Secure Score Control Profiles using Graph API. We would also want to get the recommended actions in Microsoft Secure Score using Graph API or Microsoft Defender API. Is there a way that we can do this? Thanks
