Say hello to the new Microsoft Threat Protection APIs!
Published Sep 15 2020 09:08 AM 18.5K Views

A typical enterprise environment often requires customers to augment security solutions by building their own custom automation logic to automate procedures, integrate data, and orchestrate actions to enable security teams to effectively operate and respond to threats. 

Today we are announcing public preview for three exciting enhancements: 

  • Microsoft Threat Protection Incident and Hunting APIs 
  • New Microsoft Threat Protection SIEM connectors for Splunk Enterprise and Micro Focus ArcSight
  • Microsoft Threat Protection alerts will be available soon via the Microsoft Graph Security API 

With these three additions, Microsoft Threat Protection is now an integration-ready platform! 
Let’s have a closer look at 
the new capabilities: 
Microsoft Threat Protection API model 

Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model. Exposed through a standard Azure Active Directory (AAD) based authentication and authorization model and allowing access in context of users or SaaS applications. 

The lop-level Microsoft Threat Protection APIs will enable you to automate workflows based on the shared incident and advanced hunting tables: 

The I
ncidents API - This API exposes Microsoft Threat Protection incidents - a more efficient, more comprehensive and more descriptive evolution of alerts. Incidents help security professionals focus on what's critical by ensuring that the full attack scope and impacted assets are grouped together and surfaced in a timely manner under the incident API 

You can pull all the alerts related to the incident and other information about them such as severity, entities that were involved in the alert, the source of the alerts (Azure ATP, Microsoft Defender ATP , Office 365 ATP) and the reason they were linked together. To learn more about the schema see Incidents API and Update Incident API.

Cross-product threat hunting
APIThis API provides query-based access to Microsoft Threat Protection raw data store, aggregated across the suite protection products. Using the hunting API security teams can leverage their unique organizational knowledge and expertise to hunt for signs of compromise by creating their own custom queries.  

Ready to start? Let's talk authentication and authorization 

Accessing Microsoft Threat Protection APIs is granted in accordance with the service users and permissions model. For users, Single Sign On (SSO) and RBAC rules apply, and for services - permissions management. Using an AAD Applications model solves them all. A user’s API calls use the delegated permissions model. It means that the user context is used when calling the API, leveraging SSO capabilities. Since the user identity is used, the same RBAC rules applied for interactive user, applied also for API user. For services, the AAD application model is applied where the AAD Global Admin grants the permissions to the application. Any change of the application “manifested” permissions will require Global Admin Consent.  
Full control. Full transparency.

To try it out please use, Microsoft Threat Protection API “Hello World” sample. 



Say hello to the upcoming Microsoft Threat protection SIEM connectors! 
We’re thrilled to announce our latest integration with Splunk Enterprise and Micro Focus ArcSight are ready for preview 

  • Splunk Enterprise partnered with Microsoft Threat protection to develop a new add-on that allows our joint customers to easily integrate security incident in Splunk Enterprise. Security incidents and related evidence ingested through this add-on are mapped to the Splunk Common Information Model, which allows you to easily integrate the incidents into your existing processes and dashboards.  
    Would you like to sign up for the Preview? Please submit this form. 
  • Micro Focus ArcSight partnered with Microsoft Threat protection to develop a new ArcSight FlexConnector that allows our joint customers to integrate security incident in to Arcsight 
    Would you like to sign up for the Preview? Please submit this form. 


And yes, a Microsoft Azure Sentinel connector is also on the way, coming soon later this calendar year. 

Microsoft Threat Protection alerts via the Microsoft Graph Security API 
The Microsoft Graph Security API is an intermediary service (or broker) that provides a programmatic interface to connect multiple Microsoft security solution. Microsoft Threat Protection alerts and custom detection created by the customer will be surfaced under the Microsoft Graph Security Alert API in the coming weeks. 


And there’s more coming soon 
We will be exposing calculated or ‘profiled’ Microsoft threat protection entities (for example, device, user, email and file) and additional set of response actions. The pattern of using other capabilities or entities will be similar. 
In addition we are working to also expose an event streaming interface allowing customers to flow event data to an external storage, correlate with additional data sources, perform custom analytics, and others. 

We will gradually expand the set of APIs and expanding our ecosystem to fulfill the needs of security operations teams, enabling interoperability with enterprise security applications and automation. 
As always, your feedback is welcome! 


Additional reading and references 

Microsoft Threat Protection API “Hello World”  

Microsoft Threat Protection API Documentation 

Microsoft Threat Protection Jupyther notebooks - MVP blog by Maarten Goet 

Other API resources for the various protection products 


Version history
Last update:
‎Sep 21 2020 11:57 PM
Updated by: