Unified MDTI APIs in Microsoft Graph Now GA


We're thrilled to share that the unified APIs that are part of the Microsoft Graph are now generally available! These APIs come with a single endpoint, permissions, auth model, and access token. The Microsoft Threat Intelligence ( TI) API for Incidents, Alerts, and Hunting allows organizations to query TI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.

Visit the official documentation>

Use Cases:

This new Defender TI API release has many use cases, including:

Incident enrichment: This API allows you to add more context from MDTI knowledge to incident entities, which can help you better understand the incident and take appropriate action.

Advanced hunting with Azure notebook: With this API, you can perform advanced hunting using Azure notebooks, which can help you identify potential threats and take proactive measures.

SIEM integration: This API allows you to run correlation and build integration with SOAR and SIEM systems, which can help you streamline your security operations.

Reporting: This API provides the ability to build rich and custom reporting on top of the MDTI data, which can help you gain insights into your security posture and make informed decisions.

API Documentation and More Information:

The complete API documentation is available in MS Graph documentation. Here are a few sample API calls to get you started:

Host Data: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com

Child HostPairs for a hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/childHostPairs?$count…

Components for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/components?$count=tru…

Cookies for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/cookies?$count=true

HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/hostPairs?$count=true

Host Certificates for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/sslCertificates?$coun…

Parent HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/parentHostPairs?$coun…

PassiveDns by IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/passiveDns?$count=tru…

PassiveDnsReverse by IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/passiveDnsReverse?$co…

Hostname/IP reputation: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/reputation

Subdomains for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/subdomains?$count=tru…

Trackers for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/microsoft.com/trackers?$count=tru…

Whois for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/whois

Whois history for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/whois/history?$count=…

Threat Article: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/articles/{articleId}

Intel Profile: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/intelProfiles/{intelligenceProfileId}

Vulnerability: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/vulnerabilities/{vulnerabilityId}

PassiveDnsRecord: GET https://graph.microsoft.com/v1.0//security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId}



Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. To learn more about how you and your organization can leverage MDTI, watch our overview video and follow our “Become an MDTI Ninja” training path today. Be sure to contact sales to request a free trial or explore licensing options.


This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.