D
dennismercer
We’re thrilled to share that the unified APIs that are part of the Microsoft Graph are now generally available! These APIs come with a single endpoint, permissions, auth model, and access token. The Microsoft Defender Threat Intelligence (Defender TI) API for Incidents, Alerts, and Hunting allows organizations to query Defender TI data to operationalize intelligence gleaned from threat actors, tools, and vulnerabilities. Security teams can enrich their understanding of entities inside security incidents, automate triage efforts, and integrate with a broad ecosystem of security tools, including Microsoft Sentinel.
Visit the official documentation>
Use Cases:
This new Defender TI API release has many use cases, including:
Incident enrichment: This API allows you to add more context from MDTI knowledge to incident entities, which can help you better understand the incident and take appropriate action.
Advanced hunting with Azure notebook: With this API, you can perform advanced hunting using Azure notebooks, which can help you identify potential threats and take proactive measures.
SIEM integration: This API allows you to run correlation and build integration with SOAR and SIEM systems, which can help you streamline your security operations.
Reporting: This API provides the ability to build rich and custom reporting on top of the MDTI data, which can help you gain insights into your security posture and make informed decisions.
API Documentation and More Information:
The complete API documentation is available in MS Graph documentation. Here are a few sample API calls to get you started:
Host Data: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com
Child HostPairs for a hostname: GET https://graph.microsoft.com/v1.0/se.../hosts/contoso.com/childHostPairs?$count=true
Components for a Hostname: GET https://graph.microsoft.com/v1.0/se...ence/hosts/contoso.com/components?$count=true
Cookies for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/cookies?$count=true
HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/hostPairs?$count=true
Host SSL Certificates for an IP Address: GET https://graph.microsoft.com/v1.0/se...hosts/contoso.com/sslCertificates?$count=true
Parent HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/se...hosts/contoso.com/parentHostPairs?$count=true
PassiveDns by IP Address: GET https://graph.microsoft.com/v1.0/se...ence/hosts/contoso.com/passiveDns?$count=true
PassiveDnsReverse by IP Address: GET https://graph.microsoft.com/v1.0/se...sts/contoso.com/passiveDnsReverse?$count=true
Hostname/IP reputation: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/reputation
Subdomains for a Hostname: GET https://graph.microsoft.com/v1.0/se...ence/hosts/contoso.com/subdomains?$count=true
Trackers for a Hostname: GET https://graph.microsoft.com/v1.0/se...ence/hosts/microsoft.com/trackers?$count=true
Whois for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/whois
Whois history for a Hostname: GET https://graph.microsoft.com/v1.0/se...e/hosts/contoso.com/whois/history?$count=true
Threat Article: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/articles/{articleId}
Intel Profile: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/intelProfiles/{intelligenceProfileId}
Vulnerability: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/vulnerabilities/{vulnerabilityId}
PassiveDnsRecord: GET https://graph.microsoft.com/v1.0//security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId}
Conclusion
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. To learn more about how you and your organization can leverage MDTI, watch our overview video and follow our “Become an MDTI Ninja” training path today. Be sure to contact sales to request a free trial or explore licensing options.
Continue reading...
Visit the official documentation>
Use Cases:
This new Defender TI API release has many use cases, including:
Incident enrichment: This API allows you to add more context from MDTI knowledge to incident entities, which can help you better understand the incident and take appropriate action.
Advanced hunting with Azure notebook: With this API, you can perform advanced hunting using Azure notebooks, which can help you identify potential threats and take proactive measures.
SIEM integration: This API allows you to run correlation and build integration with SOAR and SIEM systems, which can help you streamline your security operations.
Reporting: This API provides the ability to build rich and custom reporting on top of the MDTI data, which can help you gain insights into your security posture and make informed decisions.
API Documentation and More Information:
The complete API documentation is available in MS Graph documentation. Here are a few sample API calls to get you started:
Host Data: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com
Child HostPairs for a hostname: GET https://graph.microsoft.com/v1.0/se.../hosts/contoso.com/childHostPairs?$count=true
Components for a Hostname: GET https://graph.microsoft.com/v1.0/se...ence/hosts/contoso.com/components?$count=true
Cookies for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/cookies?$count=true
HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/hostPairs?$count=true
Host SSL Certificates for an IP Address: GET https://graph.microsoft.com/v1.0/se...hosts/contoso.com/sslCertificates?$count=true
Parent HostPairs for an IP Address: GET https://graph.microsoft.com/v1.0/se...hosts/contoso.com/parentHostPairs?$count=true
PassiveDns by IP Address: GET https://graph.microsoft.com/v1.0/se...ence/hosts/contoso.com/passiveDns?$count=true
PassiveDnsReverse by IP Address: GET https://graph.microsoft.com/v1.0/se...sts/contoso.com/passiveDnsReverse?$count=true
Hostname/IP reputation: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/reputation
Subdomains for a Hostname: GET https://graph.microsoft.com/v1.0/se...ence/hosts/contoso.com/subdomains?$count=true
Trackers for a Hostname: GET https://graph.microsoft.com/v1.0/se...ence/hosts/microsoft.com/trackers?$count=true
Whois for a Hostname: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/contoso.com/whois
Whois history for a Hostname: GET https://graph.microsoft.com/v1.0/se...e/hosts/contoso.com/whois/history?$count=true
Threat Article: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/articles/{articleId}
Intel Profile: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/intelProfiles/{intelligenceProfileId}
Vulnerability: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/vulnerabilities/{vulnerabilityId}
PassiveDnsRecord: GET https://graph.microsoft.com/v1.0//security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId}
Conclusion
Be sure to join our fast-growing community of security pros and experts to provide product feedback and suggestions and start conversations about how MDTI is helping your team stay on top of threats. To learn more about how you and your organization can leverage MDTI, watch our overview video and follow our “Become an MDTI Ninja” training path today. Be sure to contact sales to request a free trial or explore licensing options.
Continue reading...