We're thrilled to share that unified APIs that are part of the Microsoft Graph with a single endpoint, permissions, auth model, and access token are now available in public preview. The Microsoft Defender Threat Intelligence (MDTI) API for Incidents, Alerts, and Hunting allows organizations to query MDTI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.
Visit the official documentation>
Use Cases
This new MDTI API release has many use cases, including:
Incident enrichment: This API allows you to add more context from MDTI knowledge to incident entities, which can help you better understand the incident and take appropriate action.
Advanced hunting with Azure notebook: With this API, you can perform advanced hunting using Azure notebooks, which can help you identify potential threats and take proactive measures.
SIEM integration: This API allows you to run correlation and build integration with SOAR and SIEM systems, which can help you streamline your security operations.
Reporting: This API provides the ability to build rich and custom reporting on top of the MDTI data, which can help you gain insights into your security posture and make informed decisions.
Getting Started
-
Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.
In this section, you will learn how to register an Azure AD application to use the APIs.
1. First, register an application in Azure Active Directory
2. Sign in to Azure Portal as a user with the Global administrator role.
3. Navigate to Azure Active Directory > App registrations > New registration:
4. In the registration form, enter a name for your application, then select Register. Selecting a redirect, URI is optional.
5. On your application page, select API Permissions > Microsoft Graph.
6. In the page displayed, select Application permissions, start typing “ThreatIntelligence” in the search box, and select ThreatIntelligence.Read.All and then click on Add Permission.
7. Click admin consent for your tenant. You can select multiple permissions and then grant admin consent for them all.
8. Add a secret to the application. Select Certificates & Secrets, add a description to the secret, then select Add. Remember to save this secret.
9. Record your application ID and tenant ID somewhere safeThey'rere listed on your Application Overview page.
Authentication and Authorization with the Microsoft Graph
(O' ‘Get a token using the app and use the token to access the A'I’)
Because the MDTI APIs are hosted in Microsoft Graph, follow the steps as outlined in Microsoft Graph online documentation:
- For Delegated Authentication & authorization (AuthNZ):
https://docs.microsoft.com/en-us/graph/auth-v2-user - For Application only AuthNZ (i.e., without a signed-in user):
https://docs.microsoft.com/en-us/graph/auth-v2-service
API Documentation and More Information
The complete API documentation is available in MS Graph documentation. Here are a few sample API calls to get you started:
Get HostName/IP Information:
GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('riskiq.net')
GET https:// graph.microsoft.com/beta/security/threatIntelligence/hosts('185.82.217.3')
Get HostName/IP reputation:
GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('104.156.149.53')/reputation
GET HostName/IP components:
GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('msn.com')/components?$count=true
GET HostName/IP Cookies:
GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('microsoft.com')/cookies
GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('8.8.8.8')/cookies
GET Hostname/IP Trackers:
GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('8.8.8.8')/trackers?$count=true
GET Article
GET https://graph.microsoft.com/beta/security/threatIntelligence/articles/{articleId}
GET IntelligenceProfile
GET https://graph.microsoft.com/beta/security/threatIntelligence/intelProfiles/{intelligenceProfileId}
GET Vulnerability
GET https://graph.microsoft.com/beta/security/threatIntelligence/vulnerabilities/{vulnerabilityId}
GET passiveDnsRecord
GET https://graph.microsoft.com/beta//security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId}
You can find examples of API call and properties in this postman collection:
MDTI-Solutions/Postman Collection at master · Azure/MDTI-Solutions (github.com)
We Want to Hear from You!
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI.
Updated Nov 14, 2023
Version 6.0
YanivSh
Microsoft
Microsoft
