Hi, I'm working on a Power BI solution for a client to monitor Shadow IT on managed devices and I wanted to query the Microsoft Cloud App Security API.
I am using an application which returns an OAuth2 token (to follow good practices) with the following rights : discovery.read, investigation.read, ThreatHunting.Read.All, User.Read, Machine.Read.All, SecurityRecommendation, Software.Read.All and Vulnerability.Read.All (although I only use the first 2). The information I need is a list of data traffic per day per user for a given discovered app.
I'm experiencing an unusual issue with the API. When I attempt to get data from https://xxxxx.portal.cloudappsecurity.com/api/v1/discovery/discovered_apps/streams (where xxxxx is the tenant's name), I'm consistently receiving an HTML response instead of the expected JSON. This response includes an HTTP 500 error code (internal server error) and looks like a standard HTML error page, which is strange for an API response.
I tried discovery/continuous_report (404), discovery/streams (404), discovery/discovered_apps/streams (500 code). All responses were a single line with escaped wharacters resembling a raw HTML page, here it is :
" <!doctype html><html lang=\"en\" xmlns:ng=\"https://angularjs.org\"><head><script defer=\"defer\" src=\"https://cdn.cloudappsecurity.com/console/0.290.177/js/error.js\" crossorigin=\"anonymous\"></script><link href=\"https://cdn.cloudappsecurity.com/console/0.290.177/css/error.css\" rel=\"stylesheet\"></head><meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\"><meta name=\"google\" content=\"notranslate\"><meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"><script>var ADALLOM_USER = '';\nvar ADALLOM_TENANT_ID = null;\nvar FULL_LOCALE = 'en-US';\nvar SERVER_URL = '';\nvar CONSOLE_CDN_URL = 'https://cdn.cloudappsecurity.com/console/0.290.177/';\n// whether we work through AUTH GATEWAY or not\nvar USING_GATEWAY = false;</script><meta name=\"viewport\" content=\"initial-scale=1,width=device-width\"><link rel=\"icon\" type=\"image/x-icon\" href=\"https://cdn.cloudappsecurity.com/console/0.290.177/images/cas_favicon.ico\"><body><div class=\"error_page\"><div class=\"header\">500</div><div class=\"description\"><div class=\"error_message\">Internal error</div><div class=\"support_message\">If the problem persists, contact <a href=\"https://support.microsoft.com/oas/default.aspx?prid=16031\" target=\"_blank\">support</a>.</div></div><a href=\"/\"><img src=\"https://cdn.cloudappsecurity.com/console/0.290.177/images/go_to.svg\"><div class=\"dashboard-link\">Go to dashboard</div></a><img src=\"https://cdn.cloudappsecurity.com/console/0.290.177/images/ms.logo.gray.svg\" class=\"cas-footer\"></div></body></html>"
Dev comments are even visible.
I could access with no issue /alerts, /activities and /discovery/discovered_apps. The related application shows no issues and my rights are effective/validated by an administrator. I have also spent several workdays going through the documentation and I can safely say that a lot of issues are going with this: wrong authentification information (e.g. specifiy 'token' instead of 'bearer' in the oauth2 authentification), conflicting code samples and wrong endpoint documentation (discovery/streams doesn't seem to exist, contrary to what is specified).
Could anyone access the discovery endpoints to get data traffic per user per day ? Are these endpoints really accessible or are they obsolete/moved to another API ? Could anyone point me toward the right documentation ?
Any answers are welcome :) thank you for your time.