Announcing Microsoft Defender for Office 365 API’s for retrieving threat data and remediating emails

Thanks VasilMichev 

There's definitely a fair bit of feedback that semi relates to what you're mentioning here so I thought it's best clarify some intent here. These API's require MDO P2 and within the MDO P2 license arrangement there is also the Advanced Hunting API.

Advanced Hunting API is extremely granular, to the point of being able to do regular expressions, and joins with other defender data sources like Defender for Endpoint, Cloud Apps, etc, this would enable scenarios like;

• Basic ones: searching for a subject, or parts of a subject, or a regular expression in a subject.
• OR more advanced ones: searching for an email that was sent on an unmanaged device by using MDE and Cloud Apps data

It logically doesn't make a tonne of sense for us to put too much search capability in to the GET methods of the analyzedMessage API. The GET method realistically is there once you know specifics about a message (the identifiers of that message), the getting of those specifics is best suited to the much much more powerful AH API.

In the blog we do allude to this a little bit; the sentinel example is using an advanced hunting query as the data source for which messages need to be removed, the data from that AH query is then taken to the remediate endpoint.

Let us know your thoughts here. Try out the AH API as well for some extremely powerful querying.