A typical enterprise deploys multiple solutions to address its security needs and run its day-to-day operations. Security operations teams develop their own custom automation to automate procedures, integrate data, and orchestrate actions to effectively operate and respond to threats.
Microsoft Defender ATP offers a rich and complete set of APIs geared to fulfill those needs and enable interoperability with enterprise security applications and automation. In our previous blogs we’ve announced the Microsoft Defender ATP layered API model that is exposed through a standard Azure AD (AAD) based authentication and authorization model allowing access in the context of users or SaaS applications.
In this publication, we are announcing the Public Preview of the new API Explorer and Connected applications that demonstrate our commitment to making the Microsoft Defender ATP platform more extensible – helping security operation teams easily develop and track their connected solutions and workflows. You can now try them out straight from the Microsoft Defender Security Center console.
So, let gets started….
Try out the API Explorer
The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively.
With the API Explorer, you can:
Follow these steps to try it out:
Note that some of the samples may require specifying a parameter in the URL, for example, {machine- id}
API Explorer is designed to support all the APIs offered by Microsoft Defender ATP, enabling
customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others. The list of supported APIs is available in the APIs documentation.
Authentication and authorization
Credentials to access an API are not needed since the API Explorer uses the logged-in user credentials to access data on your behalf. Additionally, accessing Microsoft Defender ATP APIs is granted in accordance with the user’s permissions model and RBAC rules. For example, a request to ‘Isolate machine is by default limited to roles having ‘Active remediation actions’ permissions.
Try out Connected applications
Power BI, Microsoft Flow, and custom applications created by your organization or a third-party partner, all connect to Microsoft Defender ATP APIs via AAD applications. The Connected application page helps you track various Azure Active directory apps that integrates with the Microsoft Defender ATP platform in your organization.
Follow these steps to see it in action:
3. You can review the usage of the connected application: Last seen, Number of requests in the past 24 hours, Request trend (30 days).
4. Selecting the Open application settings link opens the corresponding AAD application management page in the Azure portal. From the Azure portal, you can manage permissions, reconfigure, or delete the connected app.
We will continue to bring security operations teams more tools and APIs to enable automation of workflows, innovation and create “better-together” integrations based on Microsoft Defender ATP capabilities.
We welcome and appreciate your feedback.
@Efrat Kliger, Program Manager, Windows Defender ATP
@Ben Alfasi, @Zvi Avidor Software engineers, Windows Defender ATP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.