In the beginning, there are a number of APIs such as Microsoft 365 Defender, Microsoft Defender for Endpoint, Microsoft Graph and so on in Microsoft Security.
| Product | API |
|---|---|
| Microsoft Defender for Endpoint | - Microsoft Defender for Endpoint APIs |
| Microsoft 365 Defender | - Incident APIs - Advanced Hunting API - Streaming API |
Figure 1. Supported APIs in Microsoft 365 Defender & Microsoft Defender for Endpoint
- Best practices for leveraging Microsoft 365 Defender API's - Episode One
- Best practices for leveraging Microsoft 365 Defender API's - Episode Two
- Best practices for leveraging Microsoft 365 Defender API's - Episode Three
By advanced hunting KQL query, Computer name or CSV file, MDE API GUI calls APIs to automate incident response actions
such as antivirus scan, device isolation and device tag.
Reference
| Machine action | Link |
|---|---|
| Add machine tags | GUI-MDE-API-DeviceTag.md |
| Run antivirus scan | GUI-MDE-API-AntivirusScan.md |
| Isolate machine | GUI-MDE-API-DeviceIsolation.md |
Power Automate and Azure Logic App are cloud-based automation tools from Microsoft that allow users to create and automate workflows, integrating applications and services across platforms and systems, with Power Automate being a low-code option and Azure Logic App offering advanced customization and Azure integration.
Power Automate folder : Power-Automate
Power Automate portal
MSTICPy is a Python library of Cybersecurity tools built by Microsoft, which provides threat hunting and investigation functionality.
Reference
- GitHub : MSTIC Jupyter and Python Security Tools
- MSTIC docs : MSTIC Jupyter and Python Security Tools
MSTICPy GitHub repo : LearningKijo | MSTICPy
#WIP
#--- Big thank you for support, Mutsumi N.
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.