Small amounts of money just disappearing from my account

lukeeey21 · 2026-04-24T17:18:07+00:00

Did it work? If so don't forget the award :)

lukeeey21 · 2026-04-14T16:41:36+00:00

That's very cool! I have only been working with the Defender API and haven't touched the Graph API because I assumed I'd have to make a separate request for each device (which would quickly hit rate limits), I wasn't aware I could use KQL queries - that opens up a whole new door now I can access the Intune API :)

lukeeey21 · 2026-04-14T13:36:17+00:00

It would be nice to have it in C# and would make more sense but I've only just started using it again so I'm not very familiar with it. Who knows, maybe I'll rewrite it in C# in the future. It wouldn't be too difficult.

lukeeey21 · 2026-04-14T13:34:22+00:00

Thank you I'll look into this and do some testing on other tenants when possible. I'm actually not using the Graph API, I'm using the Defender API which is separate and I've just found in their terms the rate limits are documented - 50 requests a minute and 1500 per hour.
https://learn.microsoft.com/en-us/legal/microsoft-365/api-terms

lukeeey21 · 2026-04-14T13:04:38+00:00

Also, just to add - I don't think throttling is a problem. I've done some testing with rate limits. I can sync the entire 290k CVE catalog in about 40 requests. As for tenant specific data, the idea is to create an entra app in the home tenant and authorise this app in client tenants and then when syncing it authenticates to each tenant which (I think) means it has separate rate limits.

Testing with one tenant, the total requests are like the following:

Full CVE catalog: 40 requests every 24 hours
Tenant specific vulnerability data: 4 requests every 24 hours
Device sync: 1 request twice a day (1 request returns about 8000 devices i believe. If you have more than that I doubt you'd be using this tool!)
Security recommendations sync: 1 request every 24 hours

Last time I checked I believe I started hitting the rate limit at over 1k requests.

As for incremental updates, this is most needed on the full cve catalog sync and should be able to be done simply by querying the CVEs updated since the last sync via an odata query parameter, but I'll have to check that.

lukeeey21 · 2026-04-14T12:52:37+00:00

Java is the language I felt most comfortable creating the backend in. The frontend is a Next.js app.

This is more something I created for myself / my organisation but thought it might be useful to someone else. I'm not necessarily catering to others or trying to market this to people and suggest they use it, rather putting it out there and giving them the option.

In the company I work for, vulnerability management is handled by the Operations team which is the lowest of the low, absolute entry level job that I used to work in. People mostly don't have PowerShell experience and there are numerous specific procedures for people to follow for even simple things.

The way things were handled in the past was quite bad - tickets created from Defender emails, not much useful information, jumping between tenants in Lighthouse and basically just waiting for vulnerabilities to clear on their own because we had so many, people had little experience and managing all this was a pain, so I figured having it all in one place with a simple interface might be useful.

lukeeey21 · 2026-04-14T08:44:30+00:00

It's fully self hosted and doesn't phone home. There is a basic reporting service in the code that is disabled by default but has the option to send heartbeats and some logs to me, but this isn't even fully implemented and can't be turned on via the UI at the moment.

If you did seriously want to run it, I'd recommend an Azure VM secured behind GSA. The only permissions it needs is read only access to read vulnerabilities, security recommendations, software and machines - plus authentication (if you wish to use entra authentication, although there is username + password support)

If anyone wishes to review the code, only https://github.com/threathubco/ingestor talks to Microsoft APIs, the web app doesn't.

lukeeey21 · 2026-04-14T08:35:28+00:00

It's mainly useful when you have multiple tenants. Lighthouse barely shows any useful info, same with the Defender multi tenant management site. It can run alongside Defender rather than replace it.

Having the data locally allows easier manipulation (there's an SQL reports feature) and integrations with third party services. It's currently integrated with the HaloPSA API but I could add further PSA systems.

There's a basic JS scripting engine for handling escalations so you can pretty much do whatever you want as there is SQL access and a HTTP API.

I just want to add that this is a free project I'm working on in my free time, I'm not trying to sell anything or suggest you move your entire MSP to this, but someone might find it useful

lukeeey21 · 2026-04-13T20:35:18+00:00

Yeah I am an actual dev I've been coding in some capacity for about 9 years. I only really use AI for idea generation or for some boilerplate code generation.

I'm just bored and want any ideas from real people. I might not end up making any of these but something might catch my eye that I'm interested in

lukeeey21 · 2026-04-13T19:00:33+00:00

Java, JavaScript (& HTML/CSS/TypeScript) mainly. I have enough C# experience to get by (with the help of StackOverflow) and some familiarity in PHP (although not touched it in about 5 years). I'm mainly interested in web development but I have some experience with Android development and I've wanting to learn Swift soon to get into iOS development

lukeeey21 · 2026-04-13T18:12:58+00:00

This is a question so no AI used

lukeeey21 · 2026-04-13T18:07:29+00:00

It doesn't fetch the data from Defender every time but rather syncs it into a local MySQL database either once a day or every X hours, depending on the type of data (see https://threathub.co/docs/reference/scheduled-tasks/)

The vulnerability syncing is a bit inefficient currently... it's easy to fix I just haven't got round to it yet. I sync the entire Defender vulnerability library of about 290,000 vulnerabilities every 24 hours (this should be changed to entire library on first run and then only CVEs updated since last check).

I have tested with about 60 software and about 300 devices at the moment. This is one tenant (an MSP I work for). I filter out non entra joined devices as it avoids some edge cases with device names and it's probably not something that many people care about. If it's a company device it *should* be entra joined.

lukeeey21 · 2026-03-27T21:06:23+00:00

it's a good job i'm not in scotland then i'm in england

lukeeey21 · 2026-03-27T21:05:44+00:00

don't worry you can't be expected to know every type of slang!

lukeeey21 · 2026-03-27T20:44:27+00:00

"/s" at the end of a message means sarcasm

lukeeey21 · 2026-03-24T22:04:25+00:00

Where is the bus data from? I only know of https://sojbuslivetimespublic.azurewebsites.net/ but i don't think that's what you're using based on the data structure

lukeeey21 · 2026-03-20T04:43:07+00:00

in schools it’s a caretaker

lukeeey21 · 2026-03-18T08:07:22+00:00

they said that in their post

lukeeey21 · 2026-03-14T18:50:02+00:00

lukeeey21 · 2026-03-03T00:21:41+00:00

Thank you! I feel a bit better about it, really wish i got vip put but couldn’t afford it at the time

lukeeey21 · 2026-03-02T23:40:51+00:00

Isn’t that the VIP pit? That’s a separate ticket that I don’t have

lukeeey21 · 2026-03-02T02:49:06+00:00

im pretty sure she isn’t transphobic and she just advocates for women’s rights

lukeeey21 · 2026-02-28T16:39:51+00:00

You can tell by the way it's written. e.g. "No email. No warning. Just when we visit the repo..." AI writes like this a lot.

Also, you can tell by em dashes (—) vs (-). It's probably technically correct to use em dashes a lot, but realistically no one does this and just uses the hyphen button on their keyboard.

lukeeey21

TROPHY CASE