Recently, I have spent a lot of time investigating Microsoft 365 security solutions capabilities. External integrations and available APIs have been one of the covered topics on the way.
Even though, Intelligent Security Graph (ISG) provides API where you can get all the alerts from the security providers there might be a reason why you need to make integration directly with the security solution itself, such as with Microsoft Defender ATP (MDATP).
This approach is suitable for organizations that don’t have Azure Sentinel in place or don’t have a license for all the security features. Another use case would be reporting capabilities.
In my opinion, APIs related information is shattered in the Microsoft documentation which was one of the main reasons for this blog post. Another drive was a need to investigate the possibility of integration directly between security solution API and 3rd party SIEM/SOAR.
List of used agronyms
|IPC||Azure AD Identity Protection|
|AATP||Azure Advanced Threat Protection|
|O365 ATP||Office 365 Advanced Threat Protection|
|O365 UAL||Office 365 Unified Audit Log|
|PIM||Azure AD Privileged Identity Management|
|AIP||Azure Information Protection|
|ISG||Intelligent Security Graph aka Microsoft Security Graph API|
|MTP||Microsoft Threat Protection|
You can find results from the picture and Excel spreadsheet. The list is not 100% accurate but good for a start. Hopefully, you will find these as useful as I have:)
The Excel spreadsheet available for download.