Microsoft has announced new APIs for Microsoft Threat Protection (MTP) Platform. Further, the Windows 10 OS maker has added the platform is now “integration-ready”. MTP is essentially a platform that provides organizations cross-domain threat detection and response mechanisms within their Microsoft 365 environments. It dynamically collects raw data from several endpoints across individual domains. The platform then analyzes the threat data to give a complete view of attack vectors so that they can be detected, investigated, prevented and responded to in an efficient manner.
Microsoft Threat Protection Platform Gets Several New APIs Alongside Splunk Enterprise and Micro Focus ArcSight FlexConnector:
Microsoft has announced the inclusion of new APIs for the MTP Platform. These include the Incidents API and the Cross-product threat hunting API. Additionally, MTP alerts will be available soon via the Microsoft Graph Security API. Furthermore, Microsoft has indicated that it plans to add an event streaming interface as well, which will stream event data into external sources so security professionals can analyze it with other data sources and develop custom analytics. The company even claimed that the two new APIs are merely part of a new set of APIs that are being developed in-house. These new APIs will be gradually revealed and inducted into the MTP. They are reportedly being designed to meet the needs of security professionals.
— Derk van der Woude | CISSP | CCSP | CEH Master (@DerkVanDerWoude) September 16, 2020 Microsoft noted the ‘Incidents API’ can reveal comprehensive details about MTP incidents. The company insists this is an evolution over simple alert mechanisms. The Incident API allows security teams to monitor and analyze the full scope of attacks and impacted services. Multiple data insights include information about the severity and entities responsible for alerts.
— Atle Vatland (@atlevatland) September 16, 2020 The ‘Cross-product threat hunting API’ will allow security professionals query-based access to raw datastores in MTP. Data and network threat management teams can utilize their own expertise and existing knowledge to create custom queries to detect threats. It is not clear if Microsoft will allow security professionals to share their custom queries with other teams to further boost the detection of active threats before they negatively impact any organization. Apart from the new APIs, Microsoft also announced Splunk Enterprise and Micro Focus ArcSight FlexConnector Security Information and Event Management (SIEM) connectors. These are currently available in the ‘Preview’ mode. The first one allows organizations to integrate security incidents with Splunk Enterprise, meanwhile, the latter does the same for ArcSight.