Recently, I have spent a lot of time investigating Microsoft 365 security solutions capabilities. External integrations and available APIs have been one of the covered topics on the way.

Even though, Intelligent Security Graph (ISG) provides API where you can get all the alerts from the security providers there might be a reason why you need to make integration directly with the security solution itself, such as with Microsoft Defender ATP (MDATP).

This approach is suitable for organizations that don’t have Azure Sentinel in place or don’t have a license for all the security features. Another use case would be reporting capabilities.

In my opinion, APIs related information is shattered in the Microsoft documentation which was one of the main reasons for this blog post. Another drive was a need to investigate the possibility of integration directly between security solution API and 3rd party SIEM/SOAR.

List of used agronyms

AcronymDescription
IPCAzure AD Identity Protection
AATPAzure Advanced Threat Protection
O365 ATPOffice 365 Advanced Threat Protection
O365 UALOffice 365 Unified Audit Log
PIMAzure AD Privileged Identity Management
AIPAzure Information Protection
ISGIntelligent Security Graph aka Microsoft Security Graph API
MTPMicrosoft Threat Protection

You can find results from the picture and Excel spreadsheet. The list is not 100% accurate but good for a start. Hopefully, you will find these as useful as I have:)

The Excel spreadsheet available for download.