Microsoft Defender for Identity (MDI) is a cloud-based security solution that helps monitor and protect identities and infrastructure across your organization. MDI is a core component of Microsoft Defender XDR, leveraging signals from both on-premises Active Directory and cloud identities to help you better identify, detect, and investigate advanced cyberthreats directed at your organization.
Recently, Defender for Identity (MDI) introduced Graph based API to view Defender for Identity Health issues.
MDI Health alerts notify you of any problems or issues within your Defender for Identity workspace and are essential for maintaining a secure environment.
MDI health alerts fall into two areas:
For more information on MDI Health alerts see, https://learn.microsoft.com/en-us/defender-for-identity/health-alerts.
Requirements:
The easiest way to start to use the MDI Health Alert API is using the Graph Explorer, Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph.
Login in with a user who has the minimum permissions, copy a query from below and paste it in the query bar in Graph Explorer.
Note: If you are using a query that is based on DNSName or SensorDNSName make sure to change the text with the name of your domain DNS name.
See all open health alerts - https://graph.microsoft.com/beta/security/identities/healthIssues?$filter=Status eq 'open'
See open Global health alerts - https://graph.microsoft.com/beta/security/identities/healthIssues?$filter=Status eq 'open' and healthIssueType eq 'global'
See open sensor health alerts - https://graph.microsoft.com/beta/security/identities/healthIssues?$filter=Status eq 'open' and healthIssueType eq 'sensor'
See open health alerts by severity -
https://graph.microsoft.com/beta/security/identities/healthIssues?$filter=Status eq 'open' and severity eq 'medium'
https://graph.microsoft.com/beta/security/identities/healthIssues?$filter=Status eq 'open' and severity eq 'low'
See open global health alerts that domain name ends with contoso.com -https://graph.microsoft.com/beta/security/identities/healthissues?$filter=Status eq 'open' and healthIssueType eq 'global' and domainNames/any(s:endswith(s,'contoso.com'))
See open global health alerts that sensor DNS name ends with contoso.com -https://graph.microsoft.com/beta/security/identities/healthissues?$filter=Status eq 'open' and healthIssueType eq 'global' and sensorDNSNames/any(s:endswith(s,'contoso.com'))
See open sensor health alerts with sensor DNS name ends with consoto.com -https://graph.microsoft.com/beta/security/identities/healthissues?$filter=Status eq 'open' and healthIssueType eq 'sensor' and sensorDNSNames/any(s:endswith(s,'contoso.corp'))
Keep your Defender for Identity deployment healthy and secure!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.