Microsoft recently announced the General Availability of the Windows Defender Advanced Threat Protection (ATP) API. The Defender ATP API is a set of APIs built to streamline processes for security operations teams. Instead of bridging various security packages from disparate vendors, the goal of the Defender ATP API suite is to simplify the ability to secure an enterprise while maintaining interoperability across applications.
"These capabilities enable customers to integrate and orchestrate defenses across their solution Stack and management systems to orchestrate Microsoft Defender ATP, enabling security teams to effectively respond to modern threats," Microsoft's Dan Michelson commented in a Microsoft community post.
The APIs expose ATP data through profiled entities and discrete events. Profiled entities include options such as machines, users, files, etc. Discrete events include options like process creation, file creation, etc. Based on profiles and actions, the API has the ability to expose threats and act accordingly. Actions can be indicator creation, setting management, alert status, and more.
The API requires OAuth2.0 Authentication. Users must create an AAD application, receive token access and use the token to access the API. The API can be accessed with Application Context or User Context. To learn more, visit the Windows Defender ATP API overview. To get started, sign up for a free trial.