Issue with Microsoft Cloud App Security API - Unexpected HTML Response (500 Error)

Arthur Bartoli 0 Reputation points
2024-10-30T14:01:07.77+00:00

Hi, I'm working on a Power BI solution for a client to monitor Shadow IT on managed devices and I wanted to query the Microsoft Cloud App Security API.

I am using an application which returns an OAuth2 token (to follow good practices) with the following rights : discovery.read, investigation.read, ThreatHunting.Read.All, User.Read, Machine.Read.All, SecurityRecommendation, Software.Read.All and Vulnerability.Read.All (although I only use the first 2). The information I need is a list of data traffic per day per user for a given discovered app.

I'm experiencing an unusual issue with the API. When I attempt to get data from https://xxxxx.portal.cloudappsecurity.com/api/v1/discovery/discovered_apps/streams (where xxxxx is the tenant's name), I'm consistently receiving an HTML response instead of the expected JSON. This response includes an HTTP 500 error code (internal server error) and looks like a standard HTML error page, which is strange for an API response.

I tried discovery/continuous_report (404), discovery/streams (404), discovery/discovered_apps/streams (500 code). All responses were a single line with escaped wharacters resembling a raw HTML page, here it is :

" <!doctype html><html lang=\"en\" xmlns:ng=\"https://angularjs.org\"><head><script defer=\"defer\" src=\"https://cdn.cloudappsecurity.com/console/0.290.177/js/error.js\" crossorigin=\"anonymous\"></script><link href=\"https://cdn.cloudappsecurity.com/console/0.290.177/css/error.css\" rel=\"stylesheet\"></head><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><meta name=\"google\" content=\"notranslate\"><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"><script>var ADALLOM_USER = '';\nvar ADALLOM_TENANT_ID = null;\nvar FULL_LOCALE = 'en-US';\nvar SERVER_URL = '';\nvar CONSOLE_CDN_URL = 'https://cdn.cloudappsecurity.com/console/0.290.177/';\n// whether we work through AUTH GATEWAY or not\nvar USING_GATEWAY = false;</script><meta name=\"viewport\" content=\"initial-scale=1,width=device-width\"><link rel=\"icon\" type=\"image/x-icon\" href=\"https://cdn.cloudappsecurity.com/console/0.290.177/images/cas_favicon.ico\"><body><div class=\"error_page\"><div class=\"header\">500</div><div class=\"description\"><div class=\"error_message\">Internal error</div><div class=\"support_message\">If the problem persists, contact <a href=\"https://support.microsoft.com/oas/default.aspx?prid=16031\" target=\"_blank\">support</a>.</div></div><a href=\"/\"><img src=\"https://cdn.cloudappsecurity.com/console/0.290.177/images/go_to.svg\"><div class=\"dashboard-link\">Go to dashboard</div></a><img src=\"https://cdn.cloudappsecurity.com/console/0.290.177/images/ms.logo.gray.svg\" class=\"cas-footer\"></div></body></html>"

Dev comments are even visible.

I could access with no issue /alerts, /activities and /discovery/discovered_apps. The related application shows no issues and my rights are effective/validated by an administrator. I have also spent several workdays going through the documentation and I can safely say that a lot of issues are going with this: wrong authentification information (e.g. specifiy 'token' instead of 'bearer' in the oauth2 authentification), conflicting code samples and wrong endpoint documentation (discovery/streams doesn't seem to exist, contrary to what is specified).

Could anyone access the discovery endpoints to get data traffic per user per day ? Are these endpoints really accessible or are they obsolete/moved to another API ? Could anyone point me toward the right documentation ?

Any answers are welcome :) thank you for your time.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,202 questions
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
151 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Prathista Ilango 95 Reputation points Microsoft Employee
    2024-11-20T06:25:34.7366667+00:00

    Hello Arthur Bartoli,
    For Cloud discovery, the supported actions are as per the below article,

    https://learn.microsoft.com/en-us/defender-cloud-apps/api-discovery

    For continuous reports, the correct path is "api/discovery/streams/".

    More info here: https://learn.microsoft.com/en-us/defender-cloud-apps/api-discovery-list-streams

    Also, there is a preview feature released this month for Graph API support. More details in the articles below,
    https://learn.microsoft.com/en-us/defender-cloud-apps/release-notes#defender-for-cloud-apps-support-for-graph-api-preview

    https://learn.microsoft.com/en-us/defender-cloud-apps/discovered-apps-api-graph

    https://learn.microsoft.com/en-us/graph/api/resources/security-cloudappdiscovery-overview?view=graph-rest-beta

    If this doesn't work, please get in touch with support. Refer to the below link to contact support: https://learn.microsoft.com/en-us/defender-cloud-apps/support-and-ts#open-a-service-requestIf you found the information above helpful, please Click Yes. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.