Windows Defender ATP API - ingest all alert details into Splunk / Splunk Phantom

Copper Contributor

We are trying to ingest all the alert details into Splunk, and Splunk Phantom, but we cannot get the last part that allows us to view all the information contained in the alert. (see screenshot for reference)

Any guidance on what API call(s) to use would be greatly appreciated.

API call we are using

See Screenshot.

Evidence Includes 

Evidence Entry 1 

    "title""Connection to a custom network indicator",
    "description""An endpoint has connected to a URL or domain in your list of custom indicators.",

Evidence Entry 2

However, I cannot seem to figure out how to retrieve this entry via the API, we can only view it in the GUI
--- Network Filter Lookup Service blocked chrome.exe from accessing
Network Filter Lookup Service blocked.png

0 Replies