What’s New: APIs in Microsoft Graph

We're thrilled to share that unified APIs that are part of the Microsoft Graph with a single endpoint, permissions, auth model, and access token are now available in public preview. The Microsoft (MDTI) API for Incidents, Alerts, and Hunting allows organizations to query MDTI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.

Visit the official documentation>

Use Cases

This new MDTI API release has many use cases, including:

Incident enrichment: This API allows you to add more context from MDTI knowledge to incident entities, which can help you better understand the incident and take appropriate action.

Advanced hunting with Azure notebook: With this API, you can perform advanced hunting using Azure notebooks, which can help you identify potential threats and take proactive measures.

SIEM integration: This API allows you to run correlation and build integration with SOAR and SIEM systems, which can help you streamline your security operations.

Reporting: This API provides the ability to build rich and custom reporting on top of the MDTI data, which can help you gain insights into your security posture and make informed decisions.

Getting Started

  • Please reference our “Getting Started with MDTI” blog for details regarding setting up your MDTI Premium trial.

In this section, you will learn register an application to use the APIs. 

1. First, register an application in Azure  

2. Sign in to  Azure Portal as a user with the Global administrator role.

3. Navigate to Azure > App registrations > New registration:

AAD-APPs01.jpg

4. In the registration form, enter a name for your application, then select  Register. Selecting a redirect, URI is optional.

5. On your application page, select  API Permissions > Microsoft Graph.

Mike_Browning_0-1679962246419.png

6. In the page displayed, select Application permissions, start typing “ThreatIntelligence” in the search box, and select ThreatIntelligence.Read.All and then click on Add Permission.

error-fix.jpg

7. Click admin consent for your tenant. You can select multiple permissions and then grant admin consent for them all.

admin concent.jpg

8. Add a secret to the application. Select  Certificates & Secrets, add a description to the secret, then select  Add. Remember to save this secret.

add secret.jpg

9. Record your application ID and tenant ID somewhere safeThey'rere listed on your Application Overview page.

copy-permission.jpg

Authentication and Authorization with the Microsoft Graph 

(O' ‘Get a token using the app and use the token to access the A'I')

Because the MDTI APIs are hosted in Microsoft Graph, follow the steps as outlined in Microsoft Graph online documentation:

API Documentation and More Information 

The complete API documentation is available in MS Graph documentation. Here are a few sample API calls to get you started:

Get HostName/IP Information:

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts(‘riskiq.net')  

GET https:// graph.microsoft.com/beta/security/threatIntelligence/hosts(‘185.82.217.3')

Get HostName/IP reputation:

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts(‘log1n-micsoft0fice365.com')/repu…

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts(‘104.156.149.53')/reputation

GET HostName/IP components: 

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts(‘104.156.149.53')/components?$cou…

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts(‘msn.com')/components?$count=true

GET HostName/IP Cookies: 

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts(‘microsoft.com')/cookies

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts(‘8.8.8.8')/cookies

GET Hostname/IP Trackers:

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts(‘microsoft.com')/trackers?$count=…

GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts(‘8.8.8.8')/trackers?$count=true

GET Article

GET https://graph.microsoft.com/beta/security/threatIntelligence/articles/{articleId} 

GET IntelligenceProfile

GET https://graph.microsoft.com/beta/security/threatIntelligence/intelProfiles/{intelligenceProfileId} 

GET Vulnerability

GET https://graph.microsoft.com/beta/security/threatIntelligence/vulnerabilities/{vulnerabilityId} 

GET passiveDnsRecord

GET https://graph.microsoft.com/beta//security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId} 

You can find examples of API call and properties in this postman collection:

MDTI-Solutions/Postman Collection at master · Azure/MDTI-Solutions (github.com) 

We Want to Hear from You! 

Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. With an open dialogue, we can create a safer internet together. Learn more about MDTI.

 

This article was originally published by Microsoft's Defender Threat Intelligence Blog. You can find the original article here.