| title | Accessing incident notifications and DENs using Graph security API | ||
|---|---|---|---|
| ms.reviewer | |||
| description | The method to access Defender Experts Notifications using Graph security API | ||
| ms.service | defender-experts-for-hunting | ||
| ms.author | pauloliveria | ||
| author | poliveria | ||
| ms.localizationpriority | medium | ||
| manager | dansimp | ||
| audience | ITPro | ||
| ms.collection |
|
||
| ms.topic | how-to | ||
| ms.custom |
|
||
| search.appverid | met150 | ||
| ms.date | 10/30/2024 | ||
| appliesto |
|
Defender Experts Notifications are incidents that have been generated from hunting conducted by Defender Experts in your environment. They contain information regarding the hunting investigation and recommended actions provided by Defender Experts. You can now access DENs using the Microsoft Graph security API.
Note
Any incident in the Microsoft Defender portal is a collection of correlated alerts. Learn more
The following Defender Experts Notification details are available in the Microsoft Defender portal:
- Incident title - starts with Defender Experts to distinguish Defender Experts Notifications from other incidents
- Executive summary - provides an overview of the investigation summary
- Recommendation summary - lists the recommended actions from Defender Experts
- Advanced hunting queries - lists the converted KQL hunting queries used for the investigation
In Microsoft Graph security API, the following fields are also available:
- Graph endpoint - https://graph.microsoft.com/beta/security/incidents
- The following field names that correspond to the details mentioned earlier:
- displayName
- description
- recommendedActions
- recommendedHuntingQueries
Note
These fields will soon be available in Graph v1.0 endpoint. For more information, see Microsoft Graph REST API v1.0
Your approach to consuming Defender Experts Notifications from the API will vary depending on the downstream system you intend to use and your specific requirements. However, the following steps are a basic implementation to help you get started:
Starting from incidents in the Graph API
- Get incidents from Graph security API.
- Check for new incidents where displayName starts with Defender Experts.
- Continue reading the remaining fields for such incidents.
- Synchronize the Defender Experts Notification (DEN) information into your downstream tool (for example, ServiceNow).
Starting from alerts in the Graph API
- Get alerts from Graph security API.
- Check for new alerts where detectionSource starts with microsoftThreatExperts.
- Look up corresponding incident by checking incidentId listed on the alert.
- Continue reading the remaining fields for such incidents.
- Synchronize the Defender Experts Notification (DEN) information into your downstream tool (for example, ServiceNow).