A typical enterprise deploys multiple solutions from different vendors to address its security needs and run its day-to-day operations. This often requires customers to build their own custom automation to bridge the seams between solutions -- to automate procedures, integrate data, and orchestrate actions to enable security teams to effectively operate and respond to threats. In this publication we are announcing the general availability of the Microsoft Defender ATP APIs, a rich and complete set of APIs geared to fulfill the needs of security operations teams, enabling interoperability with enterprise security applications and automation. These capabilities enable customers to integrate and orchestrate defenses across their solution stack and management systems to orchestrate Microsoft Defender ATP, enabling security teams to effectively respond to modern threats. What’s new in Microsoft Defender ATP APIs Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard AAD based authentication and authorization model allowing access in context of users or SaaS applications. Microsoft Defender ATP API model The API model was designed to expose entities and capabilities in a consistent form, once you try out one or two examples, the pattern of using other capabilities or entities will be similar.The API exposes the richness of Microsoft Defender ATP data -- exposing calculated or ‘profiled’ entities (for example, machine, user, and file) and discrete events (for example, process creation and file creation) -- which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. Soon, Microsoft Defender ATP will also expose an event streaming interface allowing customers to flow event data to an external storage, correlate with additional data sources, perform custom analytics, and others. Additionally, the API exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others. Authentication and authorization Accessing Microsoft Defender ATP APIs is granted in accordance with the service users and permissions model. For users, Single Sign On (SSO) and RBAC rules apply, and for services - permissions management. Using an AAD Applications model solves them all. A user’s API calls use the delegated permissions model. It means that the user context is used when calling the API, leveraging SSO capabilities. Since the user identity is used, the same RBAC rules applied for interactive user, applied also for API user. For services, the AAD application model is applied where the AAD Global Admin grants the permissions to the application. Any change of the application “manifested” permissions will require Global Admin Consent. Full control. Full transparency. Summary With Microsoft Defender ATP APIs, customers can develop their own custom applications, and integrate with existing internal tools and processes. This ultimately enables enterprises to connect different solutions together to seamlessly create “better-together” integrations using the robust capabilities and data offered by Microsoft Defender ATP across third-party solutions and enterprise security applications. Additional reading and references Microsoft Defender ATP API “Hello World” Microsoft Defender ATP & SNOW - MVP blog Ticketing system integration – Alert update API Help protect the exec – go with the Flow! Automate Windows Defender ATP response action: Machine isolation Automating Security Operations Using Windows Defender ATP APIs with Python and Jupyter Notebooks Palo Alto Networks and WDATP ad-hoc integration Slack Alert for Microsoft Defender ATP using Microsoft Flow in 5 minutes Microsoft Defender ATP API Documentation