Blog Post

Microsoft Defender Threat Intelligence Blog
3 MIN READ

Unified MDTI APIs in Microsoft Graph Now GA

dennismercer's avatar
dennismercer
Icon for Microsoft rankMicrosoft
Nov 16, 2023

We’re thrilled to share that the unified APIs that are part of the Microsoft Graph are now generally available! These APIs come with a single endpoint, permissions, auth model, and access token. The Microsoft Defender Threat Intelligence (Defender TI) API for Incidents, Alerts, and Hunting allows organizations to query Defender TI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.

 

Visit the official documentation>

 

Use Cases:

This new Defender TI API release has many use cases, including:

 

Incident enrichment: This API allows you to add more context from MDTI knowledge to incident entities, which can help you better understand the incident and take appropriate action.

 

Advanced hunting with Azure notebook: With this API, you can perform advanced hunting using Azure notebooks, which can help you identify potential threats and take proactive measures.

 

SIEM integration: This API allows you to run correlation and build integration with SOAR and SIEM systems, which can help you streamline your security operations.

 

Reporting: This API provides the ability to build rich and custom reporting on top of the MDTI data, which can help you gain insights into your security posture and make informed decisions.

 

API Documentation and More Information:

The complete API documentation is available in MS Graph documentation. Here are a few sample API calls to get you started:

 

Host Data: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com

 

Child HostPairs for a hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/childHostPairs?$count=true

 

Components for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/components?$count=true

 

Cookies for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/cookies?$count=true

 

HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/hostPairs?$count=true

 

Host SSL Certificates for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/sslCertificates?$count=true

 

Parent HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/parentHostPairs?$count=true

 

PassiveDns by IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/passiveDns?$count=true

 

PassiveDnsReverse by IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/passiveDnsReverse?$count=true

 

Hostname/IP reputation: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/reputation

Subdomains for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/subdomains?$count=true

 

Trackers for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/microsoft.com/trackers?$count=true

 

Whois for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/whois

 

Whois history for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/whois/history?$count=true

 

Threat Article: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/articles/{articleId}

 

Intel Profile: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/intelProfiles/{intelligenceProfileId}

 

Vulnerability: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/vulnerabilities/{vulnerabilityId}

 

PassiveDnsRecord: GET https://graph.microsoft.com/v1.0//security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId}

 

Conclusion 

 

Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. To learn more about how you and your organization can leverage MDTI, watch our overview video and follow our “Become an MDTI Ninja” training path today. Be sure to contact sales to request a free trial or explore licensing options.

Updated Nov 16, 2023
Version 1.0
  • Hkesarwani Please see the last sentence in the blog.  You will need to contact sales to explore licensing options.  Currently, you would need to purchase an API license and that license would be set per user.

  • How to licenses Microsoft Graph APIs for Microsoft Defender Threat Intelligence per Tenant or per User?