Forum Discussion
How to get/set defender settings with API
Does anyone know if it is possible to retrieve my Defender settings using the API? For example, I need to access:
Microsoft Defender -> Settings -> Endpoints -> General -> Advanced Features
I noticed that the portal uses 'apiproxy/mtp/k8s/mgmt/TenantContext?realTime=true' to obtain all information, and I could see that the API URL being used for it is 'k8s': 'https://wdatpprd-eus3.securitycenter.windows.com/api'.
However, the documentation for the Defender API (https://api.securitycenter.windows.com/) does not contain any information regarding settings.
Is it possible to connect to this API (https://wdatpprd-eus3.securitycenter.windows.com/api) from my application? How should I set up API permissions in my Azure tenant (add any scopes or anything else)? Is there any documentation available on how to achieve this?
7 Replies
These are internal service APIs with no supported way to get tokens to talk to them. The Defender portal uses an OBO flow to get tokens to talk to the MTP APIs, and we can no longer request tokens directly.
Having said that, if you are willing to use a highly unsupported method, you can use my technique here to talk to these (and any other Defender XDR) APIs: https://github.com/nathanmcnulty/nathanmcnulty/blob/master/DefenderForEndpoint/AutoConfig/README.md#setting-up-our-session-and-cookies
Fantastic write up Nathan! Really well documented and certainly something I can use internally.
Unfortunately unless I'm missing something this won't help for a multi tenant configurations to perform via an App Registration.Thanks! I'm hoping to convert it all into a PowerShell module later this year, have a lot of other projects that need to be wrapped up first :p
Unfortunately, there is no way to do this with applications. You will need a real user account (doesn't have to be licensed though). We have played with Entra CBA using a MFA capable cert, store the user cert in AKV, and use that with automation, but that's going to require customer setup that can't be delivered through consent to a multi-tenant app.
AdelAlDabbasMicrosoft
Hello,
This is currently not supported.
List of supported MDE APIs: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api/exposed-apis-list?view=o365-worldwide
List of supported Microsoft Defender XDR APIs: https://learn.microsoft.com/en-us/microsoft-365/security/defender/api-supported?view=o365-worldwideJust curious if there have been any updates to this. We're looking for a way to at least review the configuration of XDR automatically to identify misconfigurations.
Cheers,
Ray
Hi dmitry_gusev
Did you reach any conclusion? I've been trying to obtain the same information with API calls from API Explorer on security.microsoft.com but it didnt work.
Regards
No, I haven't. I'm still looking for a solution. If I find one, I'll reply here.
