API

https://security.microsoft.com

Auth

POST /

OAuth 2.0 auth code grant with response_mode=form_post

• code
• id_token: JWT Playground
• state: OpenIdConnect.AuthenticationProperties=<encrypted?>
• session_state guid
• correlation_id guid

Returns sccauth cookie and redirect

GET /v2/advanced-hunting?tid=<tenant ID> with sccauth cookie

Returns page + XSRF-TOKEN cookie

huntingService

GET /apiproxy/mtp/huntingService/schema with sccauth cookie and X-XSRF-TOKEN header

Returns Advanced Hunting table metadata and schemas for the authenticated tenant

{
  "Tables": [
    {
      "Schema": [
        {
          "Description": "Date and time when the record was generated",
          "Type": "DateTime",
          "Entity": null,
          "Name": "Timestamp"
        },
        {
          "Description": "Unique identifier for the alert",
          "Type": "String",
          "Entity": "Alert",
          "Name": "AlertId"
        },
        {
          "Description": "Title of the alert",
          "Type": "String",
          "Entity": null,
          "Name": "Title"
        }
        <snip>
      ],
      "TableSection": "AlertsAndObservations",
      "TableRetention": {
        "HotDays": 30,
        "ColdDays": 0,
        "TotalInteractiveDays": 30
      },
      "TableType": "Regular",
      "Tags": null,
      "HasData": true,
      "Name": "AlertInfo"
    }
  ],
  "Functions": null
}

POST /apiproxy/mtp/huntingService/queryExecutor?useFanOut=false with sccauth cookie and X-XSRF-TOKEN header

Executes an Advanced Hunting query with the following parameters, similar to Graph’s runHuntingQuery

{
    "QueryText": "AADSignInEventsBeta | getschema",
    "StartTime": "2024-10-19T08:39:36.820Z",
    "EndTime": "2024-10-26T08:39:36.820Z",
    "MaxRecordCount": null,
    "TenantIds": null,
    "tenantIds": null,
    "selectedWorkspaces": null
}

Results

{
    "Quota": {
        "QueryCpuUsage": 0,
        "CpuLoad": 0,
        "ExecutionTime": "00:00:01.1144704",
        "TotalCpuTime": "00:00:00"
    },
    "ChartVisualization": {
        "ChartType": "None"
    },
    "Schema": [
        {
            "Name": "ColumnName",
            "Type": "String",
            "Entity": null
        },
        {
            "Name": "ColumnOrdinal",
            "Type": "Int32",
            "Entity": null
        },
        {
            "Name": "DataType",
            "Type": "String",
            "Entity": null
        },
        {
            "Name": "ColumnType",
            "Type": "String",
            "Entity": null
        }
    ],
    "Results": [
        {
            "ColumnName": "Timestamp",
            "ColumnOrdinal": 0,
            "DataType": "System.DateTime",
            "ColumnType": "datetime"
        },
        {
            "ColumnName": "Application",
            "ColumnOrdinal": 1,
            "DataType": "System.String",
            "ColumnType": "string"
        },
        {
            "ColumnName": "ApplicationId",
            "ColumnOrdinal": 2,
            "DataType": "System.String",
            "ColumnType": "string"
        },
        <snip>
    ]
}