KQL Querying MDE/MDO's API

Question

I am researching a little bit about MDE/MDO-s API capabilities for advanced threat hunt.

my question is: Is it possible to KQL querying MDE/MDO's API?

Any info would be highly appreciated.

Thanks

goal: using KQL to hunt for threats utilising MDE/MDO's API.

Answer 1

You may explore the http_request (GET) and http_request_post (POST) plugins to send an HTTP request to your API's and convert the response into a table.

Please note that it's disabled by default for security reasons, I would highly recommend reading the documentation very carefully before you try it as the plugins allow queries to send data and the user's security token to external user-specified network endpoints.

Here are sample query examples for reference:

http_request (GET):

 let Uri = "https://prices.azure.com/api/retail/prices?$filter=serviceName eq 'Azure Purview' and location eq 'EU West'"; evaluate http_request(Uri) | project ResponseBody.Items | mv-expand ResponseBody_Items | evaluate bag_unpack(ResponseBody_Items)

http_request_post (POST):

 let uri='https://example.com/node/js/on/eniac'; let headers=dynamic({'x-ms-correlation-vector':'abc.0.1.0', 'authorization':'bearer...Azure-AD-bearer-token-for-target-endpoint...'}); evaluate http_request_post(uri, headers)