Cyb3rWard0g
commented
2 years ago Maybe? Testing.
Open Cyb3rWard0g opened 2 years ago
Cyb3rWard0g
commented
2 years ago Maybe? Testing.
Cyb3rWard0g
commented
2 years ago Nope!
Cyb3rWard0g
commented
2 years ago mmm license is not recognized in Azure Sentinel?
Cyb3rWard0g
commented
2 years ago In my tenant, this is what is failing
Cyb3rWard0g
commented
2 years ago The Incidents connection was enabled properly via the UI:
I got the following logs with network developer tools:
{
"requests": [
{
"content": {
"kind": "MicrosoftThreatProtection",
"properties": {
"tenantId": "TENANT-ID",
"dataTypes": {
"incidents": {
"state": "enabled"
},
"alerts": {
"state": "disabled"
}
}
},
"id": null
},
"httpMethod": "PUT",
"name": "NAME",
"requestHeaderDetails": {
"commandName": "Microsoft_Azure_Security_Insights."
},
"url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/DATA-CONNECTOR-ID?api-version=2019-01-01-preview"
}
]
}
{
"requests": [
{
"content": {
"kind": "MicrosoftDefenderAdvancedThreatProtection",
"properties": {
"tenantId": "TENANT-ID",
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
}
},
"httpMethod": "PUT",
"name": "NAME",
"requestHeaderDetails": {
"commandName": "Microsoft_Azure_Security_Insights."
},
"url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/CONNECTOR-ID?api-version=2019-01-01-preview"
},
{
"content": {
"kind": "OfficeATP",
"properties": {
"tenantId": "TENANT-ID",
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
},
"id": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/OATP-ID",
"etag": "TAG"
},
"httpMethod": "PUT",
"name": "NAME",
"requestHeaderDetails": {
"commandName": "Microsoft_Azure_Security_Insights."
},
"url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/OATP-ID?api-version=2019-01-01-preview"
},
{
"content": {
"kind": "AzureAdvancedThreatProtection",
"properties": {
"tenantId": "TENANT-ID",
"dataTypes": {
"alerts": {
"state": "enabled"
}
}
},
"id": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/AATP-ID",
"etag": "TAG"
},
"httpMethod": "PUT",
"name": "NAME",
"requestHeaderDetails": {
"commandName": "Microsoft_Azure_Security_Insights."
},
"url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/AATP-ID?api-version=2019-01-01-preview"
},
{
"content": {
"kind": "MicrosoftCloudAppSecurity",
"properties": {
"dataTypes": {
"alerts": {
"state": "enabled"
},
"discoveryLogs": {
"state": "enabled"
}
},
"tenantId": "TENANT-ID"
},
"id": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/MCAS-ID",
"etag": "TAG"
},
"httpMethod": "PUT",
"name": "NAME",
"requestHeaderDetails": {
"commandName": "Microsoft_Azure_Security_Insights."
},
"url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/MCAS-ID?api-version=2019-01-01-preview"
}
]
}It all looks good to me compared with the data connector file from above.
ReneRebsdorf
commented
2 years ago We had similar problem. Activated E5 preview, which made the License available under the same pane as the one you screenshotted. However we still experience:
{
"status": "Failed",
"error": {
"code": "InvalidLicense",
"message": "Missing consent"
}
}I suspect it may be related to the template also trying to configure the 'Advanced Hunting', which require the M365 defender preview connector - but not sure.
@Cyb3rWard0g : Were you able to resolve the issue?
julivanespi
commented
2 years ago @Cyb3rWard0g @ReneRebsdorf I am experiencing the same issue with postman.
{
"error": {
"code": "InvalidLicense",
"message": "Missing consent"
}
}I assume that you both are using the api-version=2020-01-01 correct? @ReneRebsdorf, the json response that you provided is slightly different.
I had tried this api back in 8/20/2021 when I was integrating the other Microsoft data connectors. I was able to connect O365 just fine.
ReneRebsdorf
commented
2 years ago @julivanespi Yes we are using the 2020-01-01 API. Our bicep template looks like this:
resource mdatp 'Microsoft.SecurityInsights/dataConnectors@2020-01-01' = {
scope: logAnalytics
name: 'mdatp'
kind: 'MicrosoftDefenderAdvancedThreatProtection'
properties: {
tenantId: tenantId
dataTypes: {
alerts: {
state: 'Enabled'
}
}
}
}
Dabuek
commented
2 years ago +1 I am now having the same issues as this for the EnableDataConnector deployment - specifically;
Cyb3rWard0g
commented
2 years ago This the template we use btwe: https://github.com/OTRF/Microsoft-Sentinel2Go/blob/master/microsoft-sentinel/linkedtemplates/data-connectors/allConnectors.json
I use API version 2019-01-01-preview since that's what the portal was using when doing it manually. I just tested it again today and it worked fine:
Cyb3rWard0g
commented
2 years ago @julivanespi @ReneRebsdorf @Dabuek are you still having issues with the data connectors?
ReneRebsdorf
commented
2 years ago @Cyb3rWard0g I'll make sure to test next week.
ReneRebsdorf
commented
2 years ago @Cyb3rWard0g
Strangely I am still unable to get it to work, tested using the following API versions:
Still gives error:
{
"status": "Failed",
"error": {
"code": "InvalidLicense",
"message": "Missing consent"
}
}If I enable the the connector manually and run the code I do not get the error, but this is not ideal for initial configuration, nor for dev environments.
Bicep template is the same as in my reply from the 14th of December 2021 in this thread
Is there perhaps something else you've been able to do, that resolved the issue for you?
f-bader
commented
1 year ago The same problem applies to MicrosoftThreatProtection connector. As soon as you connect it through the UI it works fine, but before that an License is invalid is thrown. This is regardless of the fact that MDE is licensed through Defender for Cloud
Cyb3rWard0g
commented
1 year ago The weird thing is that it works sometimes and sometimes it doesn't. 🤔
f-bader
commented
1 year ago I contacted Microsoft support about this and they confirmed it is a current limitation but have no immediate solution.
The issue is related to an additional API call to the security API, that enables the Sentinel integration on the Defender end. As soon as this setting is enabled you can deploy without issue, but the bicep or arm deployment will fail if it is not set correctly.
ReneRebsdorf
commented
1 year ago I contacted Microsoft support about this and they confirmed it is a current limitation but have no immediate solution.
The issue is related to an additional API call to the security API, that enables the Sentinel integration on the Defender end. As soon as this setting is enabled you can deploy without issue, but the bicep or arm deployment will fail if it is not set correctly.
I wonder if this call could be made using a deploymentScript?
Ugh, this sounds like things the backend should take care of for us. We declare what we need through a template, and the resource provider should take care of dependencies...
Cyb3rWard0g
commented
1 year ago I contacted Microsoft support about this and they confirmed it is a current limitation but have no immediate solution.
The issue is related to an additional API call to the security API, that enables the Sentinel integration on the Defender end. As soon as this setting is enabled you can deploy without issue, but the bicep or arm deployment will fail if it is not set correctly.
Hello @f-bader ! Thank you for the additional information. Do you remember who you talked to about it? I will send a private message to get more information and see if we could expedite something on our end. Thank you in advance!
sandeep5234
commented
1 year ago MicrosoftThreatProtection {"error":{"code":"InvalidLicense","message":"License is invalid"}} 401
Getting same error here , I am using api-version=2022-07-01-preview . I am deploying it using invoke-azrestMethod Any update on this?
paggarwalmsft
commented
1 year ago Hi Team, any update on the same a we are also facing the same problem
MicrosoftAdvanceedThreatProtection {"error":{"code":"InvalidLicense","message":"License is invalid"}} 401
CloudGuardianMike
commented
1 year ago Any update on this? same error.
findajay
commented
11 months ago Same error while trying from terraform azurerm_sentinel_data_connector_microsoft_threat_protection │ securityinsight.DataConnectorsClient#CreateOrUpdate: Failure responding to │ request: StatusCode=401 -- Original Error: autorest/azure: Service returned │ an error. Status=401 Code="InvalidLicense" Message="License is invalid"
mezzofix
commented
10 months ago Same when deploying from Terraform. @Microsoft any clowns available in the MSFT circus to look at this ?
Anyone with a workaround ?
Kaloszer
commented
10 months ago Same here, bicep template. This needs to be addressed, it blocks MSSPs from automating sentinel dc deployments.
AlfredSchreuder
commented
4 months ago @microsoft We also experience this issue for the following data connectors: 'MicrosoftThreatProtection' and 'MicrosoftDefenderAdvancedThreatProtection'. It seems that this issue is open for a long time and there is no solution still.
Same issues:
Next to this issue I see almost no development on the data connectors API, is there some news to be spread how to enable data connectors automated in the future, since it seems to be moving to Content Hub. It is hard to find any docs about how to deploy this for example via Bicep!?
Also I have a question regarding 'Tenant-based Microsoft Defender for Cloud (Preview)' data connector. We deploy this now via GenericUI data connector kind, but this has no option to enable it via automation. Same as the question in the previous paragraph, how would this be made possible?
Kaloszer
commented
1 month ago @AlfredSchreuder
I have raised another support issue but got the same response not supported...
https://github.com/Azure/Azure-Sentinel/issues/9986#issuecomment-2082325311
Testing environment in a new environment with M365 E5 licenses enabled. I believe I might be missing either a license to enable the Azure Sentinel data connector or maybe just a few settings in MDE to enable the connection with the SIEM