Question posted in 
I am trying to get the Incidents using the Azure Government Cloud as described here: https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list?view=rest-securityinsights-2024-09-01&tabs=HTTP
Request to get the token:
curl --location 'https://login.microsoftonline.us/TENANT_ID/oauth2/v2.0/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'client_id=CLIENT_ID'
--data-urlencode 'client_secret=CLIENT_SECRET'
--data-urlencode 'grant_type=client_credentials'
--data-urlencode 'scope=https://management.usgovcloudapi.net//.default'
Reponse:
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":3599,"access_token":"..."}
Request to get the incidents:
curl --location 'https://management.usgovcloudapi.net/subscriptions/SUBSCRIPTION_ID/resourceGroups/GROUP_NAME/providers/Microsoft.OperationalInsights/workspaces/WORKSPACE_NAME/providers/Microsoft.SecurityInsights/incidents?api-version=2024-04-01-preview&$filter=(properties/lastModifiedTimeUtc ge 2024-12-20T10:23:00Z and properties/lastModifiedTimeUtc le 2024-12-20T10:25:00Z)&$top=100'
--header 'Authorization: Bearer ey...'
Response: 401 Forbidden
The same API calls work properly for Global Azure (management.azure.com) and the incidents are returned.
2
Answers
Thank you Venkatesan! Adding the role
Microsoft Sentinel Contributorto the app solved the issue!The above error occurs when you don’t have proper permission or passing incorrect values in the Rest API URL.
Assign
ReaderorMicrosoft Sentinel Contributorrole to your Azure service principal under subscription to get the incident.Portal:
Also, you’re using the
2024-04-01-previewAPI version in theincidentsquery, but the documentation you shared references2024-09-01. Please make sure to use the correct API versionNow you can try with request with proper values and permission in your environment,
Reference:
Incidents – List – REST API (Azure Sentinel) | Microsoft Learn