Azure身份保护-风险检测API -按日期筛选

Question

我正在尝试过滤从Azure身份保护中检索到的RiskDetection数据，到目前为止还没有成功。

对于下面的activityDateTime筛选器下面的示例数据(或示例数据中的任何日期字段)，将显示响应中的内部错误：

https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime ge 2020-02-05

{'error': {'code': 'Internal Server Error', 'message': 'There was an internal 
server error while processing the request. 
Error ID: 0c2de841-9d83-479a-b7f2-ed2c102908f6', 
'innerError': 
{'request-id': '0c2de841-9d83-479a-b7f2-ed2c102908f6', 
'date': '2020-02-07T01:28:17'}}}

来自https://learn.microsoft.com/en-us/graph/query-parameters

注意: Azure AD资源不支持以下$filter操作符: ne、gt、ge、lt、le和not。包含字符串运算符目前在任何上都不受支持。

是否有一种按日期对RiskDetections进行过滤的方法？会感谢你的帮助。

下面的过滤器与riskType和riskLevel显示了数据：

risk_detections_api_url = "https://graph.microsoft.com/beta/riskDetections?$filter=riskType eq 'anonymizedIPAddress‘或riskLevel eq 'medium'“

下面的过滤器与userPrincipalName显示数据：

risk_detections_api_url = "https://graph.microsoft.com/beta/riskDetections?$filter=userPrincipalName eq‘john.doe@example.com“

下面的过滤器与ipAddress显示数据：

risk_detections_api_url = "https://graph.microsoft.com/beta/riskDetections?$filter=ipAddress eq‘195.228.45.176“

样本数据

{
        "id": "8901d1fee9bqwqweqwe683a221af3d2ae691736f2e369e0dd530625398",
        "requestId": "cc755f41-0313-4cb2-96ce-3a6283fef200",
        "correlationId": "c422083d-0e32-4afb-af4e-6ca46e4235b4",
        "riskType": "anonymizedIPAddress",
        "riskState": "atRisk",
        "riskLevel": "medium",
        "riskDetail": "none",
        "source": "IdentityProtection",
        "detectionTimingType": "realtime",
        "activity": "signin",
        "tokenIssuerType": "AzureAD",
        "ipAddress": "195.228.45.176",
        "activityDateTime": "2019-12-26T17:40:02.1402381Z",
        "detectedDateTime": "2019-12-26T17:40:02.1402381Z",
        "lastUpdatedDateTime": "2019-12-26T17:43:21.8931807Z",
        "userId": "e3835755-80b0-4b61-a1c0-5ea9ead75300",
        "userDisplayName": "John Doe",
        "userPrincipalName": "john.doe@example.com",
        "additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\"}]",
        "location": {
            "city": "Budapest",
            "state": "Budapest",
            "countryOrRegion": "HU",
            "geoCoordinates": {
                "latitude": 47.45996,
                "longitude": 19.14968
            }
        }
}

Answer 1

您需要以UTC格式提供日期。

示例：2020-01-01T22:13:50.843847Z https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime ge

在python中，您可以执行如下操作来使用过滤器创建URL：

from datetime import datetime
date_filter = datetime.utcnow().isoformat()+"Z"
request_url = "https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime ge " + date_filter

现在对响应进行过滤：

[
    {
        "id": "68f0402c7063a2fbbae5895f2c63598ca3c2b81c44be60145be1a9cd7e20af4b",
        "requestId": "181d3817-b4fb-4d2b-a87c-065776f05800",
        "correlationId": "6d02786c-0bc7-441f-b303-51430016f955",
        "riskType": "unfamiliarFeatures",
        "riskState": "atRisk",
        "riskLevel": "low",
        "riskDetail": "none",
        "source": "IdentityProtection",
        "detectionTimingType": "realtime",
        "activity": "signin",
        "tokenIssuerType": "AzureAD",
        "ipAddress": "52.185.138.50",
        "activityDateTime": "2020-02-07T05:48:07.6322964Z",
        "detectedDateTime": "2020-02-07T05:48:07.6322964Z",
        "lastUpdatedDateTime": "2020-02-07T05:49:33.3003616Z",
        "userId": "e3835755-80b0-4b61-a1c0-5ea9ead75300",
        "userDisplayName": "John Doe",
        "userPrincipalName": "john.doe@example.com",
        "additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.87 Safari/537.36\"}]",
        "location": {
            "city": "tokyo",
            "state": "tokyo",
            "countryOrRegion": "jp",
            "geoCoordinates": {
                "latitude": 35.69628,
                "longitude": 139.7386
            }
        }
    }
]

Answer 2

在属性的基础上，activityDateTime是datetimeoffset类型。

因此，您应该使用GET https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime gt 2019-12-25而不是GET https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime gt '2019-12-25'。

这里有一个类似的API文档：列表directoryAudits。

但是当我测试它时，它会产生500个错误：

{
    "error": {
        "code": "Internal Server Error",
        "message": "There was an internal server error while processing the request. Error ID: d52436f6-073b-4fc8-b3bc-c6a6336d6886",
        "innerError": {
            "request-id": "d52436f6-073b-4fc8-b3bc-c6a6336d6886",
            "date": "2020-02-05T04:10:45"
        }
    }
}

我相信这个API的测试版还在改变。您可以联系微软支持与您的要求-id进一步调查。