Share via

Can't ingest threat indicator for Microsoft Defender using Graph API

Max Kulish 0 Reputation points
2024-06-19T11:47:14.5566667+00:00

Hello!

I'm trying to ingest threat indicator into Microsoft Defender from logic app. It used to work in the past, but for some time I'm getting Unauthorized error.

I created a minimal setup containing only the trigger and Create tiIndicator action. Here are the exact steps that I followed:1. I created new logic app

  1. I enabled System assigned managed identity on this app
  2. I executed azure cli script to grant ThreatIndicators.ReadWrite.OwnedBy permission; script returned correct answer
  3. I went to Microsoft Entra ID -> Enterprise applications
  4. I changed Application Type filter to Managed Identities and I found my new logic app.
  5. On the app's page I opened Permissions and I ensured that permission Microsoft Graph / ThreatIndicators.ReadWrite.OwnedBy is granted
  6. I opened logic app's editor and I created Recurrence trigger and then Microsoft Graph Security / Create tiIndicator action
  7. I chose Managed Identity as auth type
  8. I filled the Create tiIndicator action's form with following data:
    1. Action: alert
    2. Description: tiindicator test
    3. Expiration date time: 2024-10-10 12:00:00
    4. Target product: Microsoft Defender ATP
    5. Threat Type: malware
    6. Network IPv4: 10.0.0.1
  9. I saved and executed the logic app
  10. Getting following error:
{
  "error": {
    "code": "",
    "message": "Http request failed with statusCode=Forbidden : {\"error\":{\"code\":\"Unauthorized\",\"message\":\"Unauthorized request - Account is not provisioned.\",\"target\":\"|a7e7bdcf-0b5c-441b-926a-7385ee273153.40585386_\"}}; ",
    "innerError": {
      "date": "2024-06-19T10:53:29",
      "request-id": "a7e7bdcf-0b5c-441b-926a-7385ee273153",
      "client-request-id": "a7e7bdcf-0b5c-441b-926a-7385ee273153"
    }
  }
}

Any help will be appreciated.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,197 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. William 620 Reputation points
    2024-06-19T12:56:39.3866667+00:00

    This answer was generated in part by AI using Microsoft Copilot, in compliance with the AI Usage policy for Microsoft Q&A.

    It seems you’re encountering an issue with the Microsoft Graph API while trying to ingest threat indicators into Microsoft Defender using a Logic App. Let’s work through this step-by-step to resolve it:

    Verify Permissions:

    1. System Assigned Managed Identity:
      • Ensure that the System assigned managed identity of your Logic App has the ThreatIndicators.ReadWrite.OwnedBy permission correctly assigned.
        • Double-check in the Microsoft Enterprise ID portal that the permissions are indeed granted and reflect properly.

    Token Validation:

    1. Access Token:
      • Confirm that the Logic App is fetching the correct access token for the managed identity.
        • Test this by using an HTTP action in the Logic App to call the Microsoft Graph API endpoint. Use the Managed Identity as the authentication method.

    API Endpoint and Scope:

    1. Endpoint and Permissions:
      • Verify that the API endpoint you are calling is correct.
        • Check if the scope of the token includes the necessary permissions.

    Retry with Full Permissions:

    1. Testing Permissions:
      • As a test, try assigning more comprehensive permissions to the managed identity, such as SecurityEvents.ReadWrite.All, to see if that resolves the issue.
        • If this works, you can narrow down the permissions again to what is strictly necessary.

    Check for Account Provisioning:

    1. Account Configuration:
      • The error message mentions “Account is not provisioned.” This could indicate an issue with the Microsoft Defender ATP provisioning for the account being used.
        • Verify that the account and the Logic App are properly configured and provisioned in Microsoft Defender ATP.

    Run the Azure CLI Script Again:

    1. Permission Granting:
      • Re-run the Azure CLI script to grant permissions and ensure it completes without errors:
         shellCopy code
   az ad app permission add --id <ManagedIdentityClientId> --api 00000003-0000-0000-c000-000000000000 --api-permissions 77e65f8e-aeba-4f27-9fd7-3eb34d5b4c8e=Role

    az ad app permission grant --id <ManagedIdentityClientId> --api 00000003-0000-0000-c000-000000000000

       
Additional Resources:

- [Microsoft Graph API Permissions](https://docs.microsoft.com/en-us/graph/permissions-reference)

- [Using Managed Identities for Azure Resources](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)

If you’ve checked all the above and the issue persists, consider opening a support ticket with Microsoft. There might be an underlying issue specific to your account setup.