Forum Discussion
michaelreid1972
Jun 14, 2021Copper Contributor
Windows Defender ATP API - ingest all alert details into Splunk / Splunk Phantom
We are trying to ingest all the alert details into Splunk, and Splunk Phantom, but we cannot get the last part that allows us to view all the information contained in the alert. (see screenshot for reference)
Any guidance on what API call(s) to use would be greatly appreciated.
API call we are using
https://api-eu.securitycenter.windows.com/api/alerts/da637590078447561363_2087728736
See Screenshot.
Evidence Includes
Evidence Entry 1
"title": "Connection to a custom network indicator",
"description": "An endpoint has connected to a URL or domain in your list of custom indicators.",
Evidence Entry 2
"entityType": "Url",
"evidenceCreationTime": "2021-06-11T11:30:44.82Z",
"sha1": null,
....
However, I cannot seem to figure out how to retrieve this entry via the API, we can only view it in the GUI
--- Network Filter Lookup Service blocked chrome.exe from accessing https://testgvbgjbhjb.com
No RepliesBe the first to reply