我正在尝试按日期筛选从Azure身份保护检索到的RiskDetection数据,到目前为止没有成功。
对于下面的按activityDateTime过滤的下面的示例数据(或示例数据中的任何日期字段)不显示任何结果:
https://graph.microsoft.com/beta/riskDetections?$ filter = activityDateTime gt'2019-12-25'和activityDateTime lt'2019-12-27'
来自https://docs.microsoft.com/en-us/graph/query-parameters
注意:Azure AD不支持以下$ filter运算符资源:ne,gt,ge,lt,le和not。包含字符串运算符当前在任何Microsoft Graph资源上不支持。
是否可以按日期过滤RiskDetections?将不胜感激。
下面带有riskType和riskLevel的过滤器显示数据:
risk_detections_api_url =“ https://graph.microsoft.com/beta/riskDetections?$ filter = riskType eq'anonymizedIPAddress'或riskLevel eq'medium'”]
下面带有userPrincipalName的过滤器显示数据:
risk_detections_api_url =“ https://graph.microsoft.com/beta/riskDetections?$ filter = userPrincipalName eq'[email protected]'”
下面带有ipAddress的过滤器显示数据:
risk_detections_api_url =“ https://graph.microsoft.com/beta/riskDetections?$ filter = ipAddress eq'195.228.45.176'”]
样本数据
{
"id": "8901d1fee9bqwqweqwe683a221af3d2ae691736f2e369e0dd530625398",
"requestId": "cc755f41-0313-4cb2-96ce-3a6283fef200",
"correlationId": "c422083d-0e32-4afb-af4e-6ca46e4235b4",
"riskType": "anonymizedIPAddress",
"riskState": "atRisk",
"riskLevel": "medium",
"riskDetail": "none",
"source": "IdentityProtection",
"detectionTimingType": "realtime",
"activity": "signin",
"tokenIssuerType": "AzureAD",
"ipAddress": "195.228.45.176",
"activityDateTime": "2019-12-26T17:40:02.1402381Z",
"detectedDateTime": "2019-12-26T17:40:02.1402381Z",
"lastUpdatedDateTime": "2019-12-26T17:43:21.8931807Z",
"userId": "e3835755-80b0-4b61-a1c0-5ea9ead75300",
"userDisplayName": "John Doe",
"userPrincipalName": "[email protected]",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0\"}]",
"location": {
"city": "Budapest",
"state": "Budapest",
"countryOrRegion": "HU",
"geoCoordinates": {
"latitude": 47.45996,
"longitude": 19.14968
}
}
}
基于Properties,activityDateTime
是datetimeoffset
类型。
因此您应该使用GET https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime gt 2019-12-25
而不是GET https://graph.microsoft.com/beta/riskDetections?$filter=activityDateTime gt '2019-12-25'
。
此处是类似的API文档:List directoryAudits。
但是当我测试它时,它给出了500错误:
{
"error": {
"code": "Internal Server Error",
"message": "There was an internal server error while processing the request. Error ID: d52436f6-073b-4fc8-b3bc-c6a6336d6886",
"innerError": {
"request-id": "d52436f6-073b-4fc8-b3bc-c6a6336d6886",
"date": "2020-02-05T04:10:45"
}
}
}
我相信此API的beta版本仍在更改中。您可以使用您的请求ID与Microsoft支持联系,以进行进一步调查。