Sometimes isolating or blocking user actions (like downloads) is too restrictive – instead you just want to warn or ‘educate’ him. At the same time, I don’t know too many ITpros that enjoy talking to their end-users (I think we all should, but this is another story). Today we will look into a flow-automation of Microsoft Defender Advanced Threat Protection (MDATP) alerts.
In the past, we could consume the MDATP API ‘on demand’ (pull) by PowerShell for example.
We could even do advanced hunting queries via the API.
However, pulling the data out of MDATP might bring in some delay in one or the other scenario and the information from the advanced hunting results are limited to the last 30 days.
With the brand new ‘Streaming API’, Microsoft is offering a new approach to make data from MDATP available outside of the portal.