[MS Defender for Endpoint] Wanted guidance on Alerts API

Question:

1. Which API is recommended for reliably sharing domain information, especially for integration with external tools?
   1. https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id
   2. https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info
2. How can I generate or simulate alerts so that the https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info API returns actual domain-related data?
3. What are the best practices for selecting the appropriate API for this use case, considering I cannot use both in my integration?

Things I have explored so far,

• Currently using https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id API.
  • Provides domain-related data in the evidence section.
  • Example response includes entities with entityType as Url containing domain names and URLs both.

Alert Response

{ "id": "da0c5a38e4-3ef4-4c75-a0ad-9af83e866cf1_1",
 "detectionSource": "WindowsDefenderAtp",
 "category": "CredentialAccess",
 "evidence": [ 
{
 "entityType": "Url",
 "url": "pub-8eab0c35f1eb4dacafaaa2b16d81a149.r2.dev" DOMAIN TYPE // ... Other fields 
},
 { 
"entityType": "Url",
 "url": "https://example.com" URL TYPE // ... Other fields 
}

 ] // ... Other fields 
}

• Noticed another API: https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info.
  • Purpose-built for retrieving domains related to alerts.
  • Returns empty data object with no domains or hosts, even when generating alerts by accessing blocked domains.
    • Custom IOC type domain has been added to endpoint indicators list and then accessed the same domain from windows machine. Ref: https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain#create-an-indicator-for-ips-urls-or-domains-from-the-settings-page