@Robbe Willeme Thank you for reaching out to us, came across this doc - https://learn.microsoft.com/en-us/defender-xdr/api-access while researching about your issue, just check if this helps, feel free to post back.
How to connect the Microsoft Defender XDR event logs using the API?
I'm currently working on a project to fully automate the deployment of a Microsoft Sentinel workspace. I already developed a working PowerShell script that uses the Microsoft.SecurityInsights API to install solutions from the content hub and enable the analytic rules that come with the templates installed by these solutions. The next step in the process is to connect to data connectors, I'm using ARM templates to accomplish this. But I'm having some issues here to connect the Microsoft Defender XDR connector. With the help of the Microsoft documentation, I was able to connect incidents and alerts using an ARM template, but I can't find how to connect the event logs from the various Microsoft Defender XDR products.
With the event logs I mean the following tables:
DeviceInfo
DeviceNetworkInfo
DeviceProcessEvents
DeviceNetworkEvents
DeviceFileEvents
DeviceRegistryEvents
DeviceLogonEvents
DeviceImageLoadEvents
DeviceEvents
DeviceFileCertificateInfo
EmailEvents
EmailUrlInfo
EmailAttachmentInfo
EmailPostDeliveryEvents
UrlClickEvents
CloudAppEvents
IdentityLogonEvents
IdentityQueryEvents
IdentityDirectoryEvents
AlertInfo
AlertEvidence
I discovered that Azure uses this endpoint: "https://api.security.microsoft.com/api/dataexportsettings" to enable these events when I manually configured it. I'm now trying to use this endpoint in a Powershell script to automate this process, but I encountered the following error message when calling the API:
{
"error": {
"code": "Forbidden",
"message": "Application context is not allowed to access this API. Expected user context.",
"target": "00-f9b6bde6ec9dc025db43d2b3d862b9f7-09ef1be4bbccc8db-00"
}
}
It appears that using an application context to call this API is not possible? So the question is, is there any way to get around this issue and fully automate the process of connecting the event logs without requiring user interaction?
1 answer
Sort by: Most helpful
-
Givary-MSFT 33,311 Reputation points Microsoft Employee
2024-08-13T07:56:18.2433333+00:00