Windows Defender ATP API - ingest all alert details into Splunk / Splunk Phantom
We are trying to ingest all the alert details into Splunk, and Splunk Phantom, but we cannot get the last part that allows us to view all the information contained in the alert. (see screenshot for reference) Any guidance on what API call(s) to use would be greatly appreciated. API call we are using https://api-eu.securitycenter.windows.com/api/alerts/da637590078447561363_2087728736 See Screenshot. Evidence Includes Evidence Entry 1 "title": "Connection to a custom network indicator", "description": "An endpoint has connected to a URL or domain in your list of custom indicators.", Evidence Entry 2 "entityType": "Url", "evidenceCreationTime": "2021-06-11T11:30:44.82Z", "sha1": null, .... "url": "https://testgvbgjbhjb.com/", However, I cannot seem to figure out how to retrieve this entry via the API, we can only view it in the GUI --- Network Filter Lookup Service blocked chrome.exe from accessing https://testgvbgjbhjb.com
