Azure 身份保护 - 风险检测 API - 按日期筛选
Azure Identity Protection - Risk Detection API - Filter by date
我正在尝试按日期过滤从 Azure Identity Protection 检索到的 RiskDetection 数据,但到目前为止没有成功。
对于以下按 activityDateTime(或示例数据中的任何日期字段)过滤的示例数据,在响应中显示内部错误:
https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime ge 2020-02-05
{'error': {'code': 'Internal Server Error', 'message': 'There was an internal
server error while processing the request.
Error ID: 0c2de841-9d83-479a-b7f2-ed2c102908f6',
'innerError':
{'request-id': '0c2de841-9d83-479a-b7f2-ed2c102908f6',
'date': '2020-02-07T01:28:17'}}}
来自https://docs.microsoft.com/en-us/graph/query-parameters
Note: The following $filter operators are not supported for Azure AD
resources: ne, gt, ge, lt, le, and not. The contains string operator
is currently not supported on any Microsoft Graph resources.
有没有办法按日期过滤 RiskDetections?将不胜感激。
下面带有 riskType 和 riskLevel 的过滤器显示数据:
risk_detections_api_url = "https://graph.microsoft.com/beta/riskDetections?$filter=riskType eq 'anonymizedIPAddress' or riskLevel eq 'medium'"
以下带有 userPrincipalName 的过滤器显示数据:
risk_detections_api_url = "https://graph.microsoft.com/beta/riskDetections?$filter=userPrincipalName eq 'john.doe@example.com'"
以下带 ipAddress 的过滤器显示数据:
risk_detections_api_url = "https://graph.microsoft.com/beta/riskDetections?$filter=ipAddress eq '195.228.45.176'"
示例数据
{
"id": "8901d1fee9bqwqweqwe683a221af3d2ae691736f2e369e0dd530625398",
"requestId": "cc755f41-0313-4cb2-96ce-3a6283fef200",
"correlationId": "c422083d-0e32-4afb-af4e-6ca46e4235b4",
"riskType": "anonymizedIPAddress",
"riskState": "atRisk",
"riskLevel": "medium",
"riskDetail": "none",
"source": "IdentityProtection",
"detectionTimingType": "realtime",
"activity": "signin",
"tokenIssuerType": "AzureAD",
"ipAddress": "195.228.45.176",
"activityDateTime": "2019-12-26T17:40:02.1402381Z",
"detectedDateTime": "2019-12-26T17:40:02.1402381Z",
"lastUpdatedDateTime": "2019-12-26T17:43:21.8931807Z",
"userId": "e3835755-80b0-4b61-a1c0-5ea9ead75300",
"userDisplayName": "John Doe",
"userPrincipalName": "john.doe@example.com",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\"}]",
"location": {
"city": "Budapest",
"state": "Budapest",
"countryOrRegion": "HU",
"geoCoordinates": {
"latitude": 47.45996,
"longitude": 19.14968
}
}
}
基于 Properties,activityDateTime 是 datetimeoffset 类型。
所以你应该使用 GET https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime gt 2019-12-25 而不是 GET https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime gt '2019-12-25'。
此处有一个类似的 API 文档:List directoryAudits。
但是当我测试它时,它给出了 500 错误:
{
"error": {
"code": "Internal Server Error",
"message": "There was an internal server error while processing the request. Error ID: d52436f6-073b-4fc8-b3bc-c6a6336d6886",
"innerError": {
"request-id": "d52436f6-073b-4fc8-b3bc-c6a6336d6886",
"date": "2020-02-05T04:10:45"
}
}
}
我相信此 API 的测试版仍在更改中。您可以使用您的请求 ID 联系 Microsoft 支持以进行进一步调查。
您需要提供 UTC 格式的日期。
示例:
https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime ge 2020-01-01T22:13:50.843847Z
在 python 中,您将执行类似下面的操作来创建带有过滤器的 URL:
from datetime import datetime
date_filter = datetime.utcnow().isoformat()+"Z"
request_url = "https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime ge " + date_filter
响应现已过滤:
[
{
"id": "68f0402c7063a2fbbae5895f2c63598ca3c2b81c44be60145be1a9cd7e20af4b",
"requestId": "181d3817-b4fb-4d2b-a87c-065776f05800",
"correlationId": "6d02786c-0bc7-441f-b303-51430016f955",
"riskType": "unfamiliarFeatures",
"riskState": "atRisk",
"riskLevel": "low",
"riskDetail": "none",
"source": "IdentityProtection",
"detectionTimingType": "realtime",
"activity": "signin",
"tokenIssuerType": "AzureAD",
"ipAddress": "52.185.138.50",
"activityDateTime": "2020-02-07T05:48:07.6322964Z",
"detectedDateTime": "2020-02-07T05:48:07.6322964Z",
"lastUpdatedDateTime": "2020-02-07T05:49:33.3003616Z",
"userId": "e3835755-80b0-4b61-a1c0-5ea9ead75300",
"userDisplayName": "John Doe",
"userPrincipalName": "john.doe@example.com",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36\"}]",
"location": {
"city": "tokyo",
"state": "tokyo",
"countryOrRegion": "jp",
"geoCoordinates": {
"latitude": 35.69628,
"longitude": 139.7386
}
}
}
]
我正在尝试按日期过滤从 Azure Identity Protection 检索到的 RiskDetection 数据,但到目前为止没有成功。
对于以下按 activityDateTime(或示例数据中的任何日期字段)过滤的示例数据,在响应中显示内部错误:
https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime ge 2020-02-05
{'error': {'code': 'Internal Server Error', 'message': 'There was an internal
server error while processing the request.
Error ID: 0c2de841-9d83-479a-b7f2-ed2c102908f6',
'innerError':
{'request-id': '0c2de841-9d83-479a-b7f2-ed2c102908f6',
'date': '2020-02-07T01:28:17'}}}
来自https://docs.microsoft.com/en-us/graph/query-parameters
Note: The following $filter operators are not supported for Azure AD resources: ne, gt, ge, lt, le, and not. The contains string operator is currently not supported on any Microsoft Graph resources.
有没有办法按日期过滤 RiskDetections?将不胜感激。
下面带有 riskType 和 riskLevel 的过滤器显示数据:
risk_detections_api_url = "https://graph.microsoft.com/beta/riskDetections?$filter=riskType eq 'anonymizedIPAddress' or riskLevel eq 'medium'"
以下带有 userPrincipalName 的过滤器显示数据:
risk_detections_api_url = "https://graph.microsoft.com/beta/riskDetections?$filter=userPrincipalName eq 'john.doe@example.com'"
以下带 ipAddress 的过滤器显示数据:
risk_detections_api_url = "https://graph.microsoft.com/beta/riskDetections?$filter=ipAddress eq '195.228.45.176'"
示例数据
{
"id": "8901d1fee9bqwqweqwe683a221af3d2ae691736f2e369e0dd530625398",
"requestId": "cc755f41-0313-4cb2-96ce-3a6283fef200",
"correlationId": "c422083d-0e32-4afb-af4e-6ca46e4235b4",
"riskType": "anonymizedIPAddress",
"riskState": "atRisk",
"riskLevel": "medium",
"riskDetail": "none",
"source": "IdentityProtection",
"detectionTimingType": "realtime",
"activity": "signin",
"tokenIssuerType": "AzureAD",
"ipAddress": "195.228.45.176",
"activityDateTime": "2019-12-26T17:40:02.1402381Z",
"detectedDateTime": "2019-12-26T17:40:02.1402381Z",
"lastUpdatedDateTime": "2019-12-26T17:43:21.8931807Z",
"userId": "e3835755-80b0-4b61-a1c0-5ea9ead75300",
"userDisplayName": "John Doe",
"userPrincipalName": "john.doe@example.com",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\"}]",
"location": {
"city": "Budapest",
"state": "Budapest",
"countryOrRegion": "HU",
"geoCoordinates": {
"latitude": 47.45996,
"longitude": 19.14968
}
}
}
基于 Properties,activityDateTime 是 datetimeoffset 类型。
所以你应该使用 GET https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime gt 2019-12-25 而不是 GET https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime gt '2019-12-25'。
此处有一个类似的 API 文档:List directoryAudits。
但是当我测试它时,它给出了 500 错误:
{
"error": {
"code": "Internal Server Error",
"message": "There was an internal server error while processing the request. Error ID: d52436f6-073b-4fc8-b3bc-c6a6336d6886",
"innerError": {
"request-id": "d52436f6-073b-4fc8-b3bc-c6a6336d6886",
"date": "2020-02-05T04:10:45"
}
}
}
我相信此 API 的测试版仍在更改中。您可以使用您的请求 ID 联系 Microsoft 支持以进行进一步调查。
您需要提供 UTC 格式的日期。
示例: https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime ge 2020-01-01T22:13:50.843847Z
在 python 中,您将执行类似下面的操作来创建带有过滤器的 URL:
from datetime import datetime
date_filter = datetime.utcnow().isoformat()+"Z"
request_url = "https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime ge " + date_filter
响应现已过滤:
[
{
"id": "68f0402c7063a2fbbae5895f2c63598ca3c2b81c44be60145be1a9cd7e20af4b",
"requestId": "181d3817-b4fb-4d2b-a87c-065776f05800",
"correlationId": "6d02786c-0bc7-441f-b303-51430016f955",
"riskType": "unfamiliarFeatures",
"riskState": "atRisk",
"riskLevel": "low",
"riskDetail": "none",
"source": "IdentityProtection",
"detectionTimingType": "realtime",
"activity": "signin",
"tokenIssuerType": "AzureAD",
"ipAddress": "52.185.138.50",
"activityDateTime": "2020-02-07T05:48:07.6322964Z",
"detectedDateTime": "2020-02-07T05:48:07.6322964Z",
"lastUpdatedDateTime": "2020-02-07T05:49:33.3003616Z",
"userId": "e3835755-80b0-4b61-a1c0-5ea9ead75300",
"userDisplayName": "John Doe",
"userPrincipalName": "john.doe@example.com",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36\"}]",
"location": {
"city": "tokyo",
"state": "tokyo",
"countryOrRegion": "jp",
"geoCoordinates": {
"latitude": 35.69628,
"longitude": 139.7386
}
}
}
]