I am researching a little bit about MDE/MDO-s API capabilities for advanced threat hunt.
my question is: Is it possible to KQL querying MDE/MDO's API?
Any info would be highly appreciated.
Thanks
goal: using KQL to hunt for threats utilising MDE/MDO's API.
You may explore the http_request (GET) and http_request_post (POST) plugins to send an HTTP request to your API's and convert the response into a table.
Please note that it's disabled by default for security reasons, I would highly recommend reading the documentation very carefully before you try it as the plugins allow queries to send data and the user's security token to external user-specified network endpoints.
Here are sample query examples for reference:
http_request (GET):
let Uri = "https://prices.azure.com/api/retail/prices?$filter=serviceName eq 'Azure Purview' and location eq 'EU West'"; evaluate http_request(Uri) | project ResponseBody.Items | mv-expand ResponseBody_Items | evaluate bag_unpack(ResponseBody_Items)
http_request_post (POST):
let uri='https://example.com/node/js/on/eniac'; let headers=dynamic({'x-ms-correlation-vector':'abc.0.1.0', 'authorization':'bearer...Azure-AD-bearer-token-for-target-endpoint...'}); evaluate http_request_post(uri, headers)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.