What's New: APIs in Microsoft Graph
Published Mar 29 2023 05:38 PM 24.6K Views
Microsoft

We're thrilled to share that unified APIs that are part of the Microsoft Graph with a single endpoint, permissions, auth model, and access token are now available in public preview. The Microsoft Defender Threat Intelligence (MDTI) API for Incidents, Alerts, and Hunting allows organizations to query MDTI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.

 

Visit the official documentation>

 

 

Use Cases

 

This new MDTI API release has many use cases, including:

 

Incident enrichment: This API allows you to add more context from MDTI knowledge to incident entities, which can help you better understand the incident and take appropriate action.

 

Advanced hunting with Azure notebook: With this API, you can perform advanced hunting using Azure notebooks, which can help you identify potential threats and take proactive measures.

 

SIEM integration: This API allows you to run correlation and build integration with SOAR and SIEM systems, which can help you streamline your security operations.

 

Reporting: This API provides the ability to build rich and custom reporting on top of the MDTI data, which can help you gain insights into your security posture and make informed decisions. 

 

Getting Started

 

  • Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.

 

In this section, you will learn how to register an Azure AD application to use the APIs. 

 

1. First, register an application in Azure Active Directory 

 

2. Sign in to  Azure Portal as a user with the Global administrator role. 

 

3. Navigate to Azure Active Directory > App registrations > New registration:


AAD-APPs01.jpg

 

4. In the registration form, enter a name for your application, then select  Register. Selecting a redirect, URI is optional. 

 

5. On your application page, select  API Permissions > Microsoft Graph.

 

Mike_Browning_0-1679962246419.png

 

 

6. In the page displayed, select Application permissions, start typing “ThreatIntelligence” in the search box, and select ThreatIntelligence.Read.All and then click on Add Permission. 

 

error-fix.jpg

 

7. Click admin consent for your tenant. You can select multiple permissions and then grant admin consent for them all. 

 

admin concent.jpg

 

8. Add a secret to the application. Select  Certificates & Secrets, add a description to the secret, then select  Add. Remember to save this secret.

 

add secret.jpg

 

9. Record your application ID and tenant ID somewhere safeThey'rere listed on your Application Overview page. 

 

copy-permission.jpg

 

Authentication and Authorization with the Microsoft Graph 

(O' ‘Get a token using the app and use the token to access the A'I’)

 

Because the MDTI APIs are hosted in Microsoft Graph, follow the steps as outlined in Microsoft Graph online documentation: 

 

 

API Documentation and More Information 

 

The complete API documentation is available in MS Graph documentation. Here are a few sample API calls to get you started: 

 

Get HostName/IP Information: 

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('riskiq.net')   

GET https:// graph.microsoft.com/beta/security/threatIntelligence/hosts('185.82.217.3')  

Get HostName/IP reputation: 

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('log1n-micsoft0fice365.com')/repu...  

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('104.156.149.53')/reputation  

GET HostName/IP components:  

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('104.156.149.53')/components?$cou...  

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('msn.com')/components?$count=true  

GET HostName/IP Cookies:  

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('microsoft.com')/cookies  

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('8.8.8.8')/cookies  

GET Hostname/IP Trackers: 

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('microsoft.com')/trackers?$count=...  

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts('8.8.8.8')/trackers?$count=true 

GET Article

GET https://graph.microsoft.com/beta/security/threatIntelligence/articles/{articleId} 

GET IntelligenceProfile

GET https://graph.microsoft.com/beta/security/threatIntelligence/intelProfiles/{intelligenceProfileId} 

GET Vulnerability

GET https://graph.microsoft.com/beta/security/threatIntelligence/vulnerabilities/{vulnerabilityId} 

GET passiveDnsRecord

GET https://graph.microsoft.com/beta//security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId} 

 

You can find examples of API call and properties in this postman collection:

MDTI-Solutions/Postman Collection at master · Azure/MDTI-Solutions (github.com) 

 

We Want to Hear from You! 

 

Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI.

10 Comments
Co-Authors
Version history
Last update:
‎Nov 14 2023 01:17 PM
Updated by: