APIs are highly valuable for security operations, and nowadays, we are increasingly transitioning towards more SOAR solutions. These solutions facilitate incident management, response to impacted assets, and report generation using APIs.
At first, I really love this blog, discussing how we can effectively use MDE API calls to tag devices - How to use tagging effectively (Part 3) - Scripting tags
Today, I'd like to share insights and address confusion regarding the use of hunting-related API calls based on my past testing experiences.
As far as I know, originally there were MDE APIs for advanced hunting. However, after XDR was introduced to Microsoft Security, known as "Microsoft Threat Protection -> Microsoft 365 Defender, Nowadays, we call it - Microsoft Defender XDR", we started using Advanced Hunting APIs. Now, there is a shift towards using Microsoft Graph security API instead of Advanced Hunting API.
As you can see in the Microsoft documentation, it states that the Advanced Hunting API is the old version, and it is recommended to use Microsoft Graph security API instead.
When we consider the API history, it appears as follows;
Now we have discussed around three different advanced hunting-related APIs, but determining the appropriate API permissions can be confusing. As I've listed three different APIs, each requires different permissions. Therefore, depending on which API you're using (recommended using Microsoft Graph security API), you'll need to assign the appropriate permissions.
This is the actual PowerShell script to demonstrate using the Advanced Hunting API, but I often notice mistakes due to incorrect API URLs. I've added three different API URLs for comparison purposes.
- Code 34 - Microsoft Defender for Endpoint Advanced Hunting API
- Code 37 - Microsoft Defender XDR Advanced Hunting API
- Code 44 - Microsoft Graph security API
As Advanced Hunting API shifts to using Microsoft Graph Security API, I've written a PowerShell script that utilizes Microsoft Graph Security API to perform advanced hunting and tagging to devices with Microsoft Defender for Endpoint API calls.
- MDE-APIcallSimu.ps1 is available from Security Research notes.
Simulation : MDE-APIcallSimu.ps1
- How to use tagging effectively (Part 3) - Scripting tags
- The new Microsoft 365 Defender APIs in Microsoft Graph are now available in public preview!
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.