Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,445 questions
Graph security alerts v2 API returns error for an invalid serviceSource filter 'microsoftDataLossPrevention'
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 19%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Pritesh Shah
0
Reputation points
We use the Microsoft Graph Security Alerts v2 API (https://graph.microsoft.com/v1.0/security/alerts_v2) with the following filters:
filter=(serviceSource eq 'azureAdIdentityProtection' or serviceSource eq 'microsoft365Defender' or serviceSource eq 'microsoftAppGovernance' or serviceSource eq 'microsoftDefenderForCloud' or serviceSource eq 'microsoftDefenderForCloudApps' or serviceSource eq 'microsoftDefenderForEndpoint' or serviceSource eq 'microsoftDefenderForIdentity' or serviceSource eq 'microsoftDefenderForOffice365' or serviceSource eq 'microsoftDataLossPrevention' or serviceSource eq 'unknown') and (createdDateTime gt 2024-01-01T00:00:00.000000000Z)
Since a few hours ago, we have been seeing the following error response:
{
"error": {
"code": "",
"message": "The query specified in the URI is not valid. The string 'microsoftDataLossPrevention' is not a valid enumeration type constant.",
"details": [],
"innerError": {
"date": "2024-01-30T17:52:41",
"request-id": "xxxxxxx",
"client-request-id": "xxxxxxx"
}
}
}
We do see that the valid value for serviceSources as per the documentation is dataLossPrevention and not microsoftDataLossPrevention. Changing this in the filter fixed the issue.
Question is what changed, as our scripts worked fine (for many months) until a few hours ago?
- Was the serviceSource field
microsoftDataLossPreventionrenamed todataLossPrevention? - Or were the underlying checks part of the API changed which caused the API to report this error which it previously did not?
Appreciate clarity on this.
Thanks!
Pritesh
{count} votes
-
Pritesh Shah 0 Reputation points
2024-01-31T09:22:28.15+00:00 We have many customers using our application to fetch these security alerts data from their Azure subscriptions. After making the
serviceSourcefilter change mentioned above, the issue is resolved for most of our consumers. But, there is one consumer where we see it now throws an error even with this serviceSourcedataLossPrevention. Which according to the documentation is actually a valid serviceSource filter. Is there an underlying dependency on say the Azure subscription tier etc, that could result in this behaviour being different across different customers? Or perhaps there is a underlying bug.Error message: The query specified in the URI is not valid. The string 'dataLossPrevention' is not a valid enumeration type constant. GET https://graph.microsoft.com/v1.0/security/alerts_v2?%24orderby=createdDateTime%20asc&filter=%28serviceSource%20eq%20%27azureAdIdentityProtection%27%20or%20serviceSource%20eq%20%27microsoft365Defender%27%20or%20serviceSource%20eq%20%27microsoftDefenderForCloud%27%20or%20serviceSource%20eq%20%27microsoftAppGovernance%27%20or%20serviceSource%20eq%20%27microsoftDefenderForCloudApps%27%20or%20serviceSource%20eq%20%27microsoftDefenderForEndpoint%27%20or%20serviceSource%20eq%20%27microsoftDefenderForIdentity%27%20or%20serviceSource%20eq%20%27microsoftDefenderForOffice365%27%20or%20serviceSource%20eq%20%27dataLossPrevention%27%29%20and%20%28createdDateTime%20gt%202024-01-30T18%3A48%3A57.603333300Z%29 SdkVersion : graph-java/v5.50.0 400 : Bad Request
Sign in to comment