We're thrilled to share that unified APIs that are part of the Microsoft Graph with a single endpoint, permissions, auth model, and access token are now available in public preview. The Microsoft Defender Threat Intelligence (Defender TI) API for Incidents, Alerts, and Hunting allows organizations to query Defender TI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.
Visit the official documentation>
This new Defender TI API release has many use cases, including:
Incident enrichment: This API allows you to add more context from MDTI knowledge to incident entities, which can help you better understand the incident and take appropriate action.
Advanced hunting with Azure notebook: With this API, you can perform advanced hunting using Azure notebooks, which can help you identify potential threats and take proactive measures.
SIEM integration: This API allows you to run correlation and build integration with SOAR and SIEM systems, which can help you streamline your security operations.
Reporting: This API provides the ability to build rich and custom reporting on top of the MDTI data, which can help you gain insights into your security posture and make informed decisions.
- You can sign up for an MDTI Premium license trial here
- You can sign up for an MDTI API License trial here.
In this section, you will learn how to register an Azure AD application to use the APIs.
1. First, register an application in Azure Active Directory
2. Sign in to Azure Portal as a user with the Global administrator role.
3. Navigate to Azure Active Directory > App registrations > New registration:
4. In the registration form, enter a name for your application, then select Register. Selecting a redirect, URI is optional.
5. On your application page, select API Permissions > Microsoft Graph.
6. In the page displayed, select Application permissions, start typing “ThreatIntelligence” in the search box, and select ThreatIntelligence.Read.All and then click on Add Permission.
7. Click admin consent for your tenant. You can select multiple permissions and then grant admin consent for them all.
8. Add a secret to the application. Select Certificates & Secrets, add a description to the secret, then select Add. Remember to save this secret.
9. Record your application ID and tenant ID somewhere safeThey'rere listed on your Application Overview page.
Authentication and Authorization with the Microsoft Graph
(O' ‘Get a token using the app and use the token to access the A'I’)
Because the Defender TI APIs are hosted in Microsoft Graph, follow the steps as outlined in Microsoft Graph online documentation:
API Documentation and More Information
The complete API documentation is available in MS Graph documentation. Here are a few sample API calls to get you started:
Get HostName/IP Information:
GET https:// graph.microsoft.com/beta/security/threatIntelligence/hosts('188.8.131.52')
Get HostName/IP reputation:
GET HostName/IP components:
GET HostName/IP Cookies:
GET Hostname/IP Trackers:
You can find examples of API call and properties in this postman collection:
MDTI-Solutions/Postman Collection at master · Azure/MDTI-Solutions (github.com)
We Want to Hear from You!
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about Defender TI and try it today.