API to get Microsoft Defender Campaigns

Hashem Barakat 0

Is there a way to get the Campaigns data inside the Microsoft Defender Portal using an API?
User's image

James Hamil 26,981 Reputation points Microsoft Employee

2025-01-06T21:08:33.42+00:00

Hi @Hashem Barakat , what information do you need specifically from here?
Hashem Barakat 0 Reputation points

2025-01-07T05:51:43.2166667+00:00

Hi James, I am mainly looking for the Campaigns in the last month, the Name, Sample subject, Recipients, Inboxed, Clicked.

I have tried both Graph API and Defender API but i couldnt find anything related to the data i want.

Thank you.
James Hamil 26,981 Reputation points Microsoft Employee

2025-01-09T23:13:58.37+00:00

Hi @Hashem Barakat , I reached out to the Product Group about this, I'll let you know what I find!

Best,

James
Hashem Barakat 0 Reputation points

2025-01-10T05:43:28.29+00:00

Perfect, Thank you.
James Hamil 26,981 Reputation points Microsoft Employee

2025-01-23T20:59:34.34+00:00

Hi @Hashem Barakat , while checking network trace I found this:

"https://security.microsoft.com/api/CampaignIntelligence/GetKqlQuery?threatType=Campaign"

Payload:

{"startTime":"2025-01-20T07:00:00.000Z","endTime":"2025-01-22T06:59:59.000Z","query":{"ShouldUseRawContent":false,"RawContent":"","Root":{"$type":"Microsoft.Office.Compliance.Repository.ComplexCondition, Microsoft.Office.Compliance.Repository","Logic":"And","Conditions":[{"$type":"Microsoft.Office.Compliance.Repository.SimpleCondition, Microsoft.Office.Compliance.Repository","IsExclusive":false,"IsLeaf":true,"Property":"campaigndata_CampaignName","Operator":"EqualAnyof","ValueType":"String","Values":["abc"]}],"IsExclusive":false}}}

But unfortunately, I can't find any documentation on this yet. I've reached out to find more and I'll let you know when I do.

Best,

James
Hashem Barakat 0 Reputation points

2025-01-28T06:38:03.85+00:00

Hi James,

Thank you for suggesting network tracing! I was able to retrieve the data I needed using the following API: https://security.microsoft.com/apiproxy/di/Aggregate/CampaignIntelligenceData?tenantid=tenant_ID&startTime=2025-01-01T08:00:00.000Z&endTime=2025-01-25T07:59:59.000Z.

However, I’m unsure if there’s a way to authorize the requests via OAuth2. The only method I found was using the token and XSRF-Token generated during the login session. To work around this, I wrote a Python script that automates logging into Microsoft Defender using my account credentials. The script retrieves the cookie and XSRF-Token values, which are then used to make the necessary API requests and fetch the required data.

Let me know if you have any insights on enabling OAuth2 for this process.

Best,

Hashem
Hashem Barakat 0 Reputation points

2025-01-28T08:26:56.8166667+00:00

Hi James,

Thank you for suggesting network tracing! I was able to retrieve the data I needed using the following API: https://security.microsoft.com/apiproxy/di/Aggregate/CampaignIntelligenceData?tenantid=tenant_ID&startTime=2025-01-01T08:00:00.000Z&endTime=2025-01-25T07:59:59.000Z.

However, I’m unsure if there’s a way to authorize the requests via OAuth2. The only method I found was using the token and XSRF-Token generated during the login session. To work around this, I wrote a Python script that automates logging into Microsoft Defender using my account credentials. The script retrieves the cookie and XSRF-Token values, which are then used to make the necessary API requests and fetch the required data.

Let me know if you have any insights on enabling OAuth2 for this process.

Best regards,

Hashem
James Hamil 26,981 Reputation points Microsoft Employee

2025-02-05T00:00:03.76+00:00

Hi @Hashem Barakat , unfortunately I'm not aware of other ways to authorize this. I can look into it and let you know what I find.

Best,

James

1 answer

DAVID BELOVED 0 Reputation points

2025-01-28T09:30:07.04+00:00
you can retrieve Microsoft Defender campaigns data through the Microsoft Graph Security API. This API allows you to interact programmatically with various Microsoft Defender services, including Microsoft Defender for Endpoint and Microsoft Defender for Identity, to retrieve threat-related information like campaigns, alerts, and more.

To get campaign data specifically, you can query the SecurityAlert or SecureScore API, which provides data on active threats, alerts, and campaigns.

Steps to get Campaign Data via Microsoft Defender API:

Authenticate: Use Azure Active Directory (Azure AD) to authenticate and get an access token to interact with Microsoft Graph API.

Query Campaigns Data: Use the endpoint to retrieve alerts, which can include campaigns:

GET https://graph.microsoft.com/v1.0/security/alerts

You can filter and expand the results based on campaign and other details. Microsoft Defender may categorize threats into campaigns, so look for a relevant field like campaignName or campaignId in the response.

Microsoft Defender API Endpoints: Some relevant Microsoft Defender endpoints include:

Microsoft Defender for Endpoint: https://graph.microsoft.com/v1.0/security/alerts

Microsoft Defender for Identity: https://graph.microsoft.com/v1.0/security/identityProtection/riskDetections

Microsoft Defender for Cloud Apps: https://graph.microsoft.com/v1.0/security/cloudAppSecurity

Microsoft Defender for Cloud: https://graph.microsoft.com/v1.0/security/secureScores

Data Fields: After querying these endpoints, you should examine the response to identify the campaigns. The response will contain threat or alert information, including details of campaigns, severity, affected entities, etc.

Example of querying alerts:

GET https://graph.microsoft.com/v1.0/security/alerts?$filter=campaignName eq 'Campaign XYZ'

This will give you all alerts related to a specific campaign.

Authentication Setup:

Get Azure AD Token: Make sure to follow the process for registering an app in Azure AD and use OAuth 2.0 to obtain an access token.

Permissions: Ensure you request the necessary permissions like SecurityEvents.Read.All or Security.Read.All for reading data related to security alerts and campaigns.

You can find more documentation and detailed API references on Microsoft’s official Graph API DAVID BELOVED
Please sign in to rate this answer.
DAVID BELOVED 0 Reputation points

2025-01-28T09:30:42.5133333+00:00

Do you find it helpful
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

API to get Microsoft Defender Campaigns

1 answer

Your answer