question

MikeDonohue-3403 avatar image
0 Votes"
MikeDonohue-3403 asked JamesHamil-MSFT commented

Getting 401 doing a GET from https://wdatp-alertexporter-us.windows.com/api/alerts

Hi,

Working with a customer to get their Defender Endpoint Alerts.

Following instructions here

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api

I am able to get the Access Token with the info provided by the customer (tenantId, appId, and appSecret)

However getting a 401 attempting

 curl -s -v -X GET \
 -H "Content-Type: application/json" \
 -H "Accept: application/json" \
 -H "Authorization: Bearer $token" \
 https://wdatp-alertexporter-us.windows.com/api/alerts

When I checked the access token at https://jwt.ms/ I see these these roles

   "roles": [
     "Url.Read.All",
     "Ip.Read.All",
     "Ti.Read.All",
     "User.Read.All",
     "Alert.Read.All",
     "Software.Read.All",
     "File.Read.All",
     "Vulnerability.Read.All",
     "AdvancedQuery.Read.All"
   ]

Noticed that they do not match the roles listed in this doc:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp#validate-the-token

Do I need all of those roles listed in the doc?

If not, what are the minimum set of roles I need to GET alerts via
wdatp-alertexporter-us.windows.com/api/alerts

Or do you see anything else wrong with my request that might be causing the 401 error?


Thanks - Mike

windows-10-securityazure-security-center
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, do you still require assistance? If not, please mark the answer as verified.

Thank you,
James

0 Votes 0 ·
Eli-Ofek avatar image
0 Votes"
Eli-Ofek answered

I think you should tag wdatp and not ems-advanced-threat-analytics...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

KarlieWeng-MSFT avatar image
0 Votes"
KarlieWeng-MSFT answered KarlieWeng-MSFT commented

Hi @MikeDonohue-3403

Find these on google, hope it helps:

Replace:

$authorization = "Bearer token"
with:

$authorization = "Authorization: Bearer token";

to make it a valid and working Authorization header.


    header('Content-Type: application/json'); // Specify the type of data
    $ch = curl_init('https://APPURL.com/api/json.php'); // Initialise cURL
    $post = json_encode($post); // Encode the data array into a JSON string
    $authorization = "Authorization: Bearer ".$token; // Prepare the authorisation token
    curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json' , $authorization )); // Inject the token into the header
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, 1); // Specify the request method as POST
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post); // Set the posted fields
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); // This will follow any redirects
    $result = curl_exec($ch); // Execute the cURL statement
    curl_close($ch); // Close the cURL connection
    return json_decode($result); // Return the received data

 }


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards
Karlie


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @MikeDonohue-3403

Good day!

I'm just following up to make sure you received my last reply.

You can enable email notifications for a variety of different events in Microsoft Q&A:
https://docs.microsoft.com/en-us/answers/articles/67444/email-notifications.html

If you have any further questions or suggestions about this case, please let me know.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Best Regards
Karlie

0 Votes 0 ·

Hello @MikeDonohue-3403

Have the problem resolved?If any problem, welcome to feedback!

---Please Accept answer if the reply is helpful---

Thanks
Karlie

0 Votes 0 ·