How to connect the Microsoft Defender XDR event logs using the API?

Robbe Willeme 5 Reputation points
2024-08-12T14:28:02.2866667+00:00

I'm currently working on a project to fully automate the deployment of a Microsoft Sentinel workspace. I already developed a working PowerShell script that uses the Microsoft.SecurityInsights API to install solutions from the content hub and enable the analytic rules that come with the templates installed by these solutions. The next step in the process is to connect to data connectors, I'm using ARM templates to accomplish this. But I'm having some issues here to connect the Microsoft Defender XDR connector. With the help of the Microsoft documentation, I was able to connect incidents and alerts using an ARM template, but I can't find how to connect the event logs from the various Microsoft Defender XDR products.

With the event logs I mean the following tables:

DeviceInfo

DeviceNetworkInfo

DeviceProcessEvents

DeviceNetworkEvents

DeviceFileEvents

DeviceRegistryEvents

DeviceLogonEvents

DeviceImageLoadEvents

DeviceEvents

DeviceFileCertificateInfo

EmailEvents

EmailUrlInfo

EmailAttachmentInfo

EmailPostDeliveryEvents

UrlClickEvents

CloudAppEvents

IdentityLogonEvents

IdentityQueryEvents

IdentityDirectoryEvents

AlertInfo

AlertEvidence

I discovered that Azure uses this endpoint: "https://api.security.microsoft.com/api/dataexportsettings" to enable these events when I manually configured it. I'm now trying to use this endpoint in a Powershell script to automate this process, but I encountered the following error message when calling the API:

{

    "error": {

        "code": "Forbidden",

        "message": "Application context is not allowed to access this API. Expected user context.",

        "target": "00-f9b6bde6ec9dc025db43d2b3d862b9f7-09ef1be4bbccc8db-00"

    }

}

It appears that using an application context to call this API is not possible? So the question is, is there any way to get around this issue and fully automate the process of connecting the event logs without requiring user interaction?

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,164 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Givary-MSFT 33,311 Reputation points Microsoft Employee
    2024-08-13T07:56:18.2433333+00:00

    @Robbe Willeme Thank you for reaching out to us, came across this doc - https://learn.microsoft.com/en-us/defender-xdr/api-access while researching about your issue, just check if this helps, feel free to post back.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.