briandelmsft / STAT-Function

Azure Function for the Microsoft Sentinel Triage AssistanT (STAT)
https://aka.ms/mstat
MIT License
9 stars 1 forks source link

File Insights Module Error #30

Closed mikedizzle closed 1 year ago

mikedizzle commented 1 year ago

I'm getting the following error on File Insights module. I can't figure out what is failing.

{ "Error": "Microsoft 365 Advanced Hunting Query failed to execute", "InvocationId": "a50b2497-05b4-465f-8610-b2dc518479a5", "SourceError": { "error": { "code": "BadRequest", "message": "'where' operator: Failed to resolve table or column expression named 'EmailAttachmentInfo'. Fix semantic errors in your query.", "target": "|dda96034-4495868f9e453baf." } }, "Traceback": [ "Traceback (most recent call last):\n", " File \"/home/site/wwwroot/modules/init.py\", line 19, in main\n return_data = coordinator.initiate_module(module_name=module_name, req_body=req_body)\n", " File \"/home/site/wwwroot/shared/coordinator.py\", line 25, in initiate_module\n return_data = file.execute_file_module(req_body)\n", " File \"/home/site/wwwroot/modules/file.py\", line 27, in execute_file_module\n file_results = rest.execute_m365d_query(base_object, email_file_query)\n", " File \"/home/site/wwwroot/shared/rest.py\", line 156, in execute_m365d_query\n raise STATError('Microsoft 365 Advanced Hunting Query failed to execute', data)\n", "classes.STATError: ('Microsoft 365 Advanced Hunting Query failed to execute', {'error': {'code': 'BadRequest', 'message': \"'where' operator: Failed to resolve table or column expression named 'EmailAttachmentInfo'. Fix semantic errors in your query.\", 'target': '|dda96034-4495868f9e453baf.'}})\n" ] }

mikedizzle commented 1 year ago

Below is the endpoint it's trying to use (M365_ENDPOINT). Is that right for GCC envs? I don't think the ARM deploy template asks for an endpoint string for that one? As you see, I did set the MDE_ENDPOINT for GCC.

edit: Changed screenshot

image

briandelmsft commented 1 year ago

Hi @mikedizzle if you are in GCC the M365_ENDPOINT should be api-gcc.security.microsoft.us as per https://learn.microsoft.com/microsoft-365/security/defender/usgov?view=o365-worldwide#api

You can just change it there and save it, no need to redeploy.

mikedizzle commented 1 year ago

Ok. Thanks. Did I miss that parameter in the deploy? I don't remember seeing it.