Unified MDTI APIs in Microsoft Graph Now GA

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

We’re thrilled to share that the unified APIs that are part of the Microsoft Graph are now generally available! These APIs come with a single endpoint, permissions, auth model, and access token. The Microsoft Defender Threat Intelligence (Defender TI) API for Incidents, Alerts, and Hunting allows organizations to query Defender TI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.


Visit the official documentation>


Use Cases:

This new Defender TI API release has many use cases, including:


Incident enrichment: This API allows you to add more context from MDTI knowledge to incident entities, which can help you better understand the incident and take appropriate action.


Advanced hunting with Azure notebook: With this API, you can perform advanced hunting using Azure notebooks, which can help you identify potential threats and take proactive measures.


SIEM integration: This API allows you to run correlation and build integration with SOAR and SIEM systems, which can help you streamline your security operations.


Reporting: This API provides the ability to build rich and custom reporting on top of the MDTI data, which can help you gain insights into your security posture and make informed decisions.


API Documentation and More Information:

The complete API documentation is available in MS Graph documentation. Here are a few sample API calls to get you started:


Host Data: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com


Child HostPairs for a hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/childHostPairs?$count=true


Components for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/components?$count=true


Cookies for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/cookies?$count=true


HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/hostPairs?$count=true


Host SSL Certificates for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/sslCertificates?$count=true


Parent HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/parentHostPairs?$count=true


PassiveDns by IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/passiveDns?$count=true


PassiveDnsReverse by IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/passiveDnsReverse?$count=true


Hostname/IP reputation: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/reputation

Subdomains for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/subdomains?$count=true


Trackers for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/microsoft.com/trackers?$count=true


Whois for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/whois


Whois history for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/whois/history?$count=true


Threat Article: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/articles/{articleId}


Intel Profile: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/intelProfiles/{intelligenceProfileId}


Vulnerability: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/vulnerabilities/{vulnerabilityId}


PassiveDnsRecord: GET https://graph.microsoft.com/v1.0//security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId}




Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. To learn more about how you and your organization can leverage MDTI, watch our overview video and follow our “Become an MDTI Ninja” training path today. Be sure to contact sales to request a free trial or explore licensing options.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.