MIP SDK cannot read file labels if a message was encrypted by Outlook Classic.
C++ application uses MIP SDK version 1.14.108. The application does Office files decryption and labels reading. The problem with labels reading is observed. Steps to reproduce: Create a docx file with a label which does not impose encryption. Open Outlook Classic, compose email, attach the document from 1, click Encrypt, send. During message sending our application intercepts encrypted by Outlook docx file in temporary folder C:\Users\UserName\AppData\Local\Temp Application decrypts the intercepted file using mipns::FileHandler::RemoveProtection. Visual inspection demonstrates that decryption runs successfully. Then a separate FileHandler for decrypted file is created, and mipns::FileHandler::GetLabel() returns an empty label. It means that the label was lost during decryption. Upon visual inspection of the decrypted file via Word we can see that the label is missing. Also, we do not see MSIP_Label* entries in meta data (File -> Info -> Properties -> Advanced Properties -> Custom). Here is a fragment of MIP SDK reducted log during file handler creation ================= file_engine_impl.cpp:327 "Creating file handler for: [D:\GitRepos\ ...reducted]" mipns::FileEngineImpl::CreateFileHandlerImpl gsf_utils.cpp:50 "Initialized GSF" `anonymous-namespace'::InitGsfHelper data_spaces.cpp:415 "No LabelInfo stream was found. No v1 custom properties" mipns::DataSpaces::GetLabelInfoStream data_spaces.cpp:428 "No LabelInfo stream was found. No v1 custom properties" mipns::DataSpaces::GetXmlPropertiesV1 file_format_base.cpp:155 "Getting protection from input..." mipns::FileFormatBase::GetProtection license_parser.cpp:233 "XPath returned no results" `anonymous-namespace'::GetXmlNodesFromPath license_parser.cpp:233 "XPath returned no results" `anonymous-namespace'::GetXmlNodesFromPath license_parser.cpp:299 "GetAppDataNode - Failed to get ID in PL app data section, parsing failed" `anonymous-namespace'::GetAppDataNode api_log_cache.cpp:58 "{{============== API CACHED LOGS BEGIN ============}}" mipns::ApiLogCache::LogAllMessages file_engine_impl.cpp:305 "Starting API call: file_create_file_handler_async scenarioId=89fd6484-7db7-4f68-8cf7-132f87825a26" mipns::FileEngineImpl::CreateFileHandlerAsync 37948 default_task_dispatcher_delegate.cpp:83 "Executing task 'ApiObserver-0' on a new detached thread" mipns::DefaultTaskDispatcherDelegate::ExecuteTaskOnIndependentThread 37948 file_engine_impl.cpp:305 "Ended API call: file_create_file_handler_async" mipns::FileEngineImpl::CreateFileHandlerAsync 37948 file_engine_impl.cpp:305 "Starting API task: file_create_file_handler_async scenarioId=89fd6484-7db7-4f68-8cf7-132f87825a26" mipns::FileEngineImpl::CreateFileHandlerAsync file_engine_impl.cpp:327 "Creating file handler for: [D:\GitRepos\...reducted....docx]" mipns::FileEngineImpl::CreateFileHandlerImpl file_format_factory_impl.cpp:88 "Create File Format. Extension: [.docx]" mipns::FileFormatFactoryImpl::Create file_format_base.cpp:363 "V1 metadata is not supported for file extension .docx. Setting metadata version to 0" mipns::FileFormatBase::CalculateMetadataVersion compound_file.cpp:183 "Open compound file for read" mipns::CompoundFile::OpenRead gsf_utils.cpp:50 "Initialized GSF" `anonymous-namespace'::InitGsfHelper compound_file_storage_impl.cpp:351 "Get Metadata" mipns::CompoundFileStorageImpl::GetMetadata compound_file_storage_impl.cpp:356 "No Metadata, not creating GSF object" mipns::CompoundFileStorageImpl::GetMetadata metadata.cpp:119 "Create Metadata" mipns::Metadata::Metadata metadata.cpp:136 "Got [0] properties from DocumentSummaryInformation" mipns::Metadata::GetProperties compound_file_storage_impl.cpp:351 "Get Metadata" mipns::CompoundFileStorageImpl::GetMetadata compound_file_storage_impl.cpp:356 "No Metadata, not creating GSF object" mipns::CompoundFileStorageImpl::GetMetadata metadata.cpp:119 "Create Metadata" mipns::Metadata::Metadata metadata.cpp:136 "Got [0] properties from DocumentSummaryInformation" mipns::Metadata::GetProperties =================Using Microsoft Graph Security API for Custom Security Automations
Hi Security Experts, I’ve recently started exploring the Microsoft Graph Security API to centralize and automate security operations across different Microsoft 365 services. The idea is to build a single automation layer that can: Collect alerts from Defender for Endpoint, Defender for Cloud, and Identity Protection; Enrich them with context (user, device, and location data); And automatically push them to an external system like Jira, n8n, or a custom SOAR workflow. I was able to authenticate and list alerts using the endpoint: “GET https://graph.microsoft.com/v1.0/security/alerts” However, I’m still trying to understand the best practices for handling rate limits, pagination, and permissions — especially when integrating continuous polling or real-time ingestion into external tools. Has anyone here implemented Graph Security API automations in production? I’d love to hear about your experiences — specifically around performance, alert filtering, and authentication (App Registration vs Managed Identity). Thanks in advance, Luca
Major Delay with /alerts endpoint
Hey folks, I've been seeing some significant delays with the /alerts API endpoint. Ball park range of 2-5 hours. For example, there is an alert in Azure Sentinel that fires at ~13:00 UTC (based on TimeGenerated field). Our internal process that polls for new events from /alerts every ~2-3minutes doesn't pick up this new alert until ~17:00 UTC. I know there is the /alerts_v2 endpoint, and we're working on upgrading our processes to use that - but for the time being, I'm trying to find a solution / answer to this particular endpoint. Anyone experience this or have any insights?
MS Graph Authorization issue (Status code 401) - Power Automate Flow for Copilot Studio
Hi Folks, I am trying to develop a MS Power Automate Flow that can post QMS documents information to Copilot Studio bot based on users' question. I am using 'Create text with GPT using Prompt" to extract users' intention about documents from their natural language. Then use HTTP connector to post the results to Copilot Studio bot. I have done all the steps: 1. Registered App in Azure Portal 2. Granted Sites.Selected (Read) permission to my app so that it can read the information from QMS document library in SharePoint. We only want the app permission related to subsite not the whole site. The issue I am facing is that the HTTP action is still showing unauthorized Status code 401. Could you guide me if there is something incomplete or insufficient? Many thanks. After running please see below error: Best regards, perlite77
Create alert when a login was attempted from certain IP address (or block of addresses)
I'm trying to create an alert when there is a login attempt to certain IP, using the following MG Graph PS command: $newAlert = Invoke-RestMethod -Uri $alertUrl -Method Post -Headers $authHeader -Body $alertBody The response I got is: Invoke-RestMethod: {"error":{"code":"","message":"POST is not supported".... $alertUrl = "https://graph.microsoft.com/v1.0/security/alerts" $AlertBody = { "networkConnections": [{ "destinationAddress": "30.1XX.XX.XX" }], "title": "Login Attempt from Specific IP", "category": "SuspiciousActivity", "description": "Login attempt detected from IP address: 30.1XX.XX.XX", "vendorInformation": { "subProvider": "Sub Prov EFI", "provider": "Prov EFI"}, "assignedTo": "me", "cloudAppStates": [{ "servicePlanId": "00000000-0000-0000-0000-000000000000", "appId": "00000002-0000-0ff1-ce00-000000000000"}] } Assume Headers are OK (they are, verified) Question: What caused the error?. Is that the endpoint URI is not the correct one? or is that this kind of alerts cannot be set using Graph?How can I publish any application in MS Defender portal?
I want to create an indicators in defender from my application using https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/post-ti-indicator. Just want to know if I can publish my application on defender portal, just the way we can publish a data connector and other services in sentinel portal.
Issues with timespan on log analytics query API
Hi, This appears to be the best place for this query: We've been trying to set the API timespan for log analytics queries. However, even when using the correct ISO8601 format (PT1H for example), it does not work as it should - it does not work in a comparable manner to using the time period piece in the UI. There is no difference between using the Timespan piece and not - it returns the same details either way, in the example I was testing, multiple weeks worth (no time period was set inside the query). https://learn.microsoft.com/en-us/rest/api/loganalytics/dataaccess/query/get?tabs=HTTP Is this a bug, or is there a different format required for this? We have also tried with 1H, 01:00:00, etc., to no avail. Many thanks, Keith
CreatetiIndicator Rate Limting HTTP 400 Status instead of 429
We're getting back HTTP 400 instead of 429 from the Security API. This is causing the Logic Apps connector to not retry as it's looking for 429. I do see the 429 code contained in the body, but this should be returned at the HTTP status code also. It wouldn't matter much, except that it seems the bulk submission only works for Azure Sentinel and not Defender. We're trying to add indicators to Defender. { "statusCode": 400, "headers": { "Transfer-Encoding": "chunked", "Vary": "Accept-Encoding", "Strict-Transport-Security": "max-age=31536000", "request-id": "XXXXXXXXXXX, "client-request-id": "XXXXXXXXXXXX", "x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"West US 2\",\"Slice\":\"E\",\"Ring\":\"1\",\"ScaleUnit\":\"001\",\"RoleInstance\":\"MW2PEPF0000836D\"}}", "Timing-Allow-Origin": "*", "x-ms-apihub-cached-response": "true", "x-ms-apihub-obo": "false", "Cache-Control": "no-cache", "Date": "Thu, 17 Nov 2022 16:23:39 GMT", "Content-Type": "application/json", "Content-Length": "560" }, "body": { "error": { "code": "", "message": "Http request failed with statusCode=429 : {\"error\":{\"code\":\"TooManyRequests\",\"message\":\"API calls quota exceeded! Maximum allowed 50 per 00:01:00 for the key Destination+TenantID+AppID. You can send requests again in 14 seconds.\",\"target\":\"|XXXXXXXXXXXXXXXXXXXX\"}}; ", "innerError": { "date": "2022-11-17T16:23:40", "request-id": "XXXXXXXXXXX", "client-request-id": "XXXXXXXXX" } } } }
