Advanced Hunting API cannot query IndetityInfo table

Longfei Chen 5 Reputation points Microsoft Employee
2023-07-18T03:25:24.74+00:00

In Postman, I send POST request to https://api.securitycenter.microsoft.com/api/advancedqueries/run and the payload is as below:

{
    "Query":"IdentityInfo"
}

I got 400 Bad Request and response is as below:

{
    "error": {
        "code": "BadRequest",
        "message": "'table' operator: Failed to resolve table expression named 'IdentityInfo'. Fix semantic errors in your query.",
        "target": "|16f0c184-457c5de8428dcfb0."
    }
}

However, I can get the IdentityInfo in https://security.microsoft.com/v2/advanced-hunting?tid=15c918e9-0017-4cbb-8215-80dbc9dfc876

SCC portal snapshot

Is there some error in my Azure AD API permission configuration?

AAD API Permission snapshot

Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
175 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fiona Matu 86 Reputation points Microsoft Employee
    2024-01-30T15:14:58.8866667+00:00

    Hi @Longfei Chen , I suppose that the error you are getting is caused by the API not being able to locate the table to are trying to query out. Advanced Hunting API currently only supports a subset of tables available in the Microsoft 365 security center and that could be the case with the IdentityInfo table.

    0 comments