Feb 08 2022 06:00 AM
Hi,
Apologies if this is a stupid question - Is it possible to search Windows ATP Defender threat database for the existence of an entry? The reason for this is looking to ratify the claims of a different product vendor that say "Microsoft ATP missed this one". I want to take some of the provided hashes and see if Defender knows about them. I've performed searches for entries through our Sentinel watchlists, but need to interrogate our Defender intel.
Any ideas?
Thanks
Feb 09 2022 06:59 AM
Feb 15 2022 10:15 AM
Feb 15 2022 10:19 AM
SolutionFeb 16 2022 01:35 AM
Hey @Jonhed
Thankyou so much for your response! I didn't even know that existed!!
This is the closest that I'm going to get. Interestingly, it seems to provide inconsistent results for example,. if I search for this (Sha256):
EX1) a5516c47fda1033a8212d76ba38ef5d9ec129c6369a73377a204268c16168202
I get nothing
If I search for this (SHA1):
EX2) 93ff13c276abb159853cc8cbd8f6ef2fb1d6729f
I get results which also contain the Sha256 hash from EX1! Crazy!
I'll have a read and see if I can work out why\what I'm doing wrong, but thanks very much for putting me on this track!
Feb 16 2022 06:11 AM - edited Feb 16 2022 06:13 AM
The documentation says sha1 or sha256, but when looking at the API explorer in the M365D portal, the URL in the sample query for getting file info shows as below, with "file-sha1", so maybe the API only expects a sha1. This seems to be something that only Microsoft can shed light on.
https://api-xx.securitycenter.windows.com/api/files/{file-sha1}
Feb 17 2022 04:06 AM
Feb 15 2022 10:19 AM
Solution