Troubleshooting Tip: Microsoft Defender alerts stop pulling due to pagination handling

1. The very first thing is to test the API poller manually from Collector CLI, navigate to the poller directory:

cd /opt/phoenix/bin/

Usage syntax:

./genericHttpApiPoller.py input_json credential test_flag(false/true) orgID serverIp serverHostname pollInterval

Example:

./genericHttpApiPoller.py /tmp/generic-input.json credential true 1 192.168.1.10 lab01 300

Replace credential, server IP, and hostname with the actual values.

2. Create a test JSON file.

cat > /tmp/input.json <<'EOF'
{
"hostname": "graph.microsoft.com",
"uriStem": "/v1.0/users",
"httpMethod": "GET",
"disable_ssl_cert_check": false,
"log_header": "GraphAPI",
"json_response_key": "value",
"pagination_data": { "pagination_method": "none" },
"authentication": {
"auth_type": "bearer_token"
},
"parameters": [
{ "keyType": "string", "keyName": "$top", "keyValue": "5" }
],
"headers": [
{ "keyType": "string", "keyName": "Accept", "keyValue": "application/json" }
],
"body": {
"body_encoding_type": "x-www-form-urlencoded",
"key_value_pairs": []
}
}
EOF

Validate JSON format:

python3 -m json.tool /tmp/input.json

Run the poller test:

./genericHttpApiPoller.py "$(cat /tmp/input.json)" credential true 1 graph.microsoft.com Windowsda 300

Replace the credential with the actual credential configured in FortiSIEM.

3. Verify HTTPS Generic Poller configuration.

Edit the HTTPS Advanced (Generic HTTP API) Poller that is failing.

If the $filter parameter contains '+', replace it with a single whitespace (' ') and save the configuration.

The $filter parameter is defined under the Log API Parameters section, not in the Credential section.

Navigate to:

Log API Parameters → $filter → Edit.

Apply the change and re-test connectivity.

Related document:

Generic Log API Poller (HTTPS Advanced) Integration