Defender APIError 400 - Fix semantic errors in your query #177
Description
Description
When running the Microsoft Defender collector through docker compose (image added to the main docker-compose.yml file), the container is up and healthy, but it doesn't work within the platform. Inspecting the logs of the Defender Collector docker container, it gives the following error:
Traceback (most recent call last):
File "/opt/openbas-collector-microsoft-defender/openbas_microsoft_defender.py", line 423, in <module>
openBASMicrosoftDefender.start()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/opt/openbas-collector-microsoft-defender/openbas_microsoft_defender.py", line 418, in start
self.helper.schedule(message_callback=self._process_message, delay=period)
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/site-packages/pyobas/helpers.py", line 298, in schedule
self.__daemon.start()
~~~~~~~~~~~~~~~~~~~^^
File "/usr/local/lib/python3.13/site-packages/pyobas/daemons/base_daemon.py", line 106, in start
self._setup()
~~~~~~~~~~~^^
File "/usr/local/lib/python3.13/site-packages/pyobas/daemons/collector_daemon.py", line 27, in _setup
document = self.api.document.upsert(document={}, file=collector_icon)
File "/usr/local/lib/python3.13/site-packages/pyobas/exceptions.py", line 86, in wrapped_f
return f(*args, **kwargs)
File "/usr/local/lib/python3.13/site-packages/pyobas/apis/document.py", line 26, in upsert
result = self.openbas.http_post(
path, post_data=document, files={"file": file}, **kwargs
)
File "/usr/local/lib/python3.13/site-packages/pyobas/client.py", line 268, in http_post
result = self.http_request(
"post",
...<5 lines>...
**kwargs,
)
File "/usr/local/lib/python3.13/site-packages/pyobas/client.py", line 186, in http_request
result = self.backend.http_request(
method=verb,
...<7 lines>...
**opts,
)
File "/usr/local/lib/python3.13/site-packages/pyobas/backends/backend.py", line 125, in http_request
response: requests.Response = self._client.request(
~~~~~~~~~~~~~~~~~~~~^
method=method,
^^^^^^^^^^^^^^
...<7 lines>...
**kwargs,
^^^^^^^^^
)
^
File "/usr/local/lib/python3.13/site-packages/requests/sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.13/site-packages/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.13/site-packages/requests/adapters.py", line 682, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
/opt/openbas-collector-microsoft-defender/openbas_microsoft_defender.py:412: DeprecationWarning: There is no current event loop
loop = asyncio.get_event_loop()
{"timestamp": "2025-07-09T12:19:22.034603Z", "level": "ERROR", "name": "Microsoft Defender", "message": "Error calling: \n APIError\n Code: 400\n message: None\n error: MainError(additional_data={}, code='BadRequest', details=None, inner_error=InnerError(additional_data={}, client_request_id='339076e6-6a8c-4472-944e-fb8f147aee09', date=datetime.datetime(2025, 7, 9, 12, 19, 41), odata_type=None, request_id='57e9d5d1-92c2-4e60-a565-101622890bfc'), message=\"graph-match operator: variable edge 'spawnedBy', referenced in graph projection, should be accessed using 'map', 'all' and 'any' graph functions (see https://aka.ms/deprecation-of-variable-length-edge-dot-notation). Fix semantic errors in your query.\", target=None)\n ", "exc_info": "Traceback (most recent call last):\n File \"/usr/local/lib/python3.13/site-packages/pyobas/daemons/base_daemon.py\", line 95, in _try_callback\n self._callback()\n ~~~~~~~~~~~~~~^^\n File \"/opt/openbas-collector-microsoft-defender/openbas_microsoft_defender.py\", line 413, in _process_message\n loop.run_until_complete(self._process_alerts(graph_client))\n ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.13/asyncio/base_events.py\", line 725, in run_until_complete\n return future.result()\n ~~~~~~~~~~~~~^^\n File \"/opt/openbas-collector-microsoft-defender/openbas_microsoft_defender.py\", line 328, in _process_alerts\n await graph_client.security.microsoft_graph_security_run_hunting_query.post(\n ...<3 lines>...\n )\n File \"/usr/local/lib/python3.13/site-packages/msgraph/generated/security/microsoft_graph_security_run_hunting_query/microsoft_graph_security_run_hunting_query_request_builder.py\", line 55, in post\n return await self.request_adapter.send_async(request_info, HuntingQueryResults, error_mapping)\n ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/usr/local/lib/python3.13/site-packages/kiota_http/httpx_request_adapter.py\", line 193, in send_async\n await self.throw_failed_responses(response, error_map, parent_span, parent_span)\n File \"/usr/local/lib/python3.13/site-packages/kiota_http/httpx_request_adapter.py\", line 575, in throw_failed_responses\n raise exc\nmsgraph.generated.models.o_data_errors.o_data_error.ODataError: \n APIError\n Code: 400\n message: None\n error: MainError(additional_data={}, code='BadRequest', details=None, inner_error=InnerError(additional_data={}, client_request_id='339076e6-6a8c-4472-944e-fb8f147aee09', date=datetime.datetime(2025, 7, 9, 12, 19, 41), odata_type=None, request_id='57e9d5d1-92c2-4e60-a565-101622890bfc'), message=\"graph-match operator: variable edge 'spawnedBy', referenced in graph projection, should be accessed using 'map', 'all' and 'any' graph functions (see https://aka.ms/deprecation-of-variable-length-edge-dot-notation). Fix semantic errors in your query.\", target=None)\n ", "taskName": null}
Traceback (most recent call last):
File "/opt/openbas-collector-microsoft-defender/openbas_microsoft_defender.py", line 423, in <module>
openBASMicrosoftDefender.start()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/opt/openbas-collector-microsoft-defender/openbas_microsoft_defender.py", line 418, in start
self.helper.schedule(message_callback=self._process_message, delay=period)
~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/site-packages/pyobas/helpers.py", line 298, in schedule
self.__daemon.start()
~~~~~~~~~~~~~~~~~~~^^
File "/usr/local/lib/python3.13/site-packages/pyobas/daemons/base_daemon.py", line 107, in start
self._start_loop()
~~~~~~~~~~~~~~~~^^
File "/usr/local/lib/python3.13/site-packages/pyobas/daemons/collector_daemon.py", line 62, in _start_loop
scheduler.enter(
~~~~~~~~~~~~~~~^
delay=delay,
^^^^^^^^^^^^
...<2 lines>...
argument=(scheduler, self._try_callback, delay),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/usr/local/lib/python3.13/sched.py", line 84, in enter
time = self.timefunc() + delay
I tried switching to the current version but the same error occurs.
Environment
- OS : Ubuntu 24.02
- OpenBAS version: 1.13.1
- OpenBAS client: frontend
- Other environment details: -
Reproducible Steps
Steps to create the smallest reproducible scenario:
- Add the Defender Collector service to the main docker-compose.yml
- run "docker compose up -d"
- run "docker container logs {defender collector log id}