Microsoft Defender Use case queries

Kishor Shaw 1 Reputation point
2022-07-26T04:16:00.647+00:00

Hi,

I have below requirements with regards to Microsoft Defender:

  1. Mailflow Health (good,malware,phish,spam): Monitor email classification trends over time to determine whether a tenant is experiencing a spam/malware/phishing attack
  2. User reported messages: Track reporting rates of suspicious emails over time & subsequently analyze reported messages and adjust EOP filters as needed
  3. Top senders and recipients: Track the biggest offenders to determine possible account compromise and to identify ‘comms clutterers’ and see if their communications can be optimized further.
  4. Mail latency report: Track latency within the Exchange Online infrastructure
  5. Compromised users: Report for users classified as suspicious or restricted.

could you please help me with the available Graph/Defender APIs to work with this use cases?

Regards,
Kishor

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,549 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Catherine Kyalo 565 Reputation points Microsoft Employee
    2024-01-31T10:28:52.6233333+00:00

    Hi @Kishor Shaw To monitor email classification trends, you can use the Graph API endpoint /reports/getEmailAppUsageUserDetail(period='D7'). This provides email usage statistics for each user, including counts for received, sent, read, and deleted emails, along with classification information for spam, phishing, and malware. You can also use the Microsoft Defender for Office 365 portal to view email security reports, including a Mail Flow Dashboard and Email Link Analysis. To track reported messages, you can use the Graph API endpoint /security/actionableAlerts, which provides a list of actionable alerts that include user-reported messages. You can also use the Microsoft Defender for Office 365 portal to view email security reports, including a Threat Protection Status dashboard and Email Threat Protection report. To track top senders and recipients, you can use the Graph API endpoint /reports/getEmailActivityCounts(period='D7'). This provides email activity counts for each user, including sent, received, and read emails, along with counts for external and internal communications. You can also use the Microsoft Defender for Office 365 portal to view email security reports, including a Mail Flow Dashboard and Email Link Analysis. To track mail latency, you can use the Graph API endpoint /reports/getEmailActivityUserDetail(period='D7'). This provides email activity detail for each user, including latency information for sent and received emails. You can also use the Exchange Online Message Trace tool to view message tracking information, including latency information. To report on compromised users, you can use the Graph API endpoint /security/alerts. This provides a list of security alerts, including alerts related to compromised users. You can also use the Microsoft Defender for Office 365 portal to view email security reports, including a Threat Protection Status dashboard and Email Threat Protection report.

    0 comments