Microsoft defender threat intelligence

the microsoft defender threat intelligence connector enables automated access to threat intelligence data, facilitating proactive cybersecurity measures microsoft defender threat intelligence offers a comprehensive suite of threat detection and analysis tools this connector enables swimlane turbine users to integrate with microsoft's threat intelligence capabilities, allowing for the retrieval and analysis of ssl certificates, passive dns records, and whois information by leveraging this integration, security teams can enhance their threat detection and response workflows, gaining access to microsoft's rich threat intelligence data directly within swimlane turbine playbooks limitations when using $filter and $orderby in the same query to get messages, make sure to specify properties in the following ways properties that appear in $orderby must also appear in $filter properties that appear in $orderby are in the same order as in $filter properties that are present in $orderby appear in $filter before any properties that aren't failing to do this results in the following error error code inefficientfilter error message the restriction or sort order is too complex for this operation supported versions this microsoft defender threat intelligence connector uses the version 1 0 api additional docs https //learn microsoft com/en us/graph/auth/auth concepts https //learn microsoft com/en us/graph/api/resources/security threatintelligence overview?view=graph rest 1 0 https //learn microsoft com/en us/graph/permissions overview?tabs=http https //docs microsoft com/en us/azure/active directory/develop/v1 protocols oauth code configuration prerequisites to effectively utilize the microsoft defender threat intelligence connector within swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for secure authentication, which include url endpoint url for api access client id unique identifier for the application making the request client secret a secret key known only to the application and the authorization server token url endpoint url to obtain the access token scope permissions the application requires client credential flow authentication authentication uses azure application oauth2 you will need an admin account in azure to create the application recommended application permissions (feel free use custom permissions if you only use certain actions) threatintelligence read all in order to set up the asset, you need the following azure application client id azure application client secret azure tenant id steps to create the azure app go to the https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission select microsoft graph select application permissions , then mark all the permissions you need for the actions you are using (see suggested permissions at the top of the asset setup section) click the add permissions button at the bottom of the page select grant admin consent for your organization, then your permissions should look as below navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page the client id , tenant id , and client secret described in the steps above are the credentials you need for the asset authentication methods oauth 2 0 client credentials to effectively utilize the microsoft defender threat intelligence connector within swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials authentication with the following parameters url endpoint for the microsoft defender threat intelligence api client id unique identifier for the application seeking access client secret a secret known only to the application and the authorization server token url endpoint to obtain the oauth 2 0 tokens scope permissions the application requires capabilities this microsoft defender threat intelligence connector provides the following capabilities get host ssl certificate get passive dns record get ssl certificate get whois history record get whois record by host id get whois record by whois record id list host ssl certificates list related hosts list ssl certificates list whois history records by host id list whois history records by id list whois records get host ssl certificate get the properties and relationships of a host ssl certificate object microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security hostsslcertificate get?view=graph rest 1 0\&tabs=http get passive dns record read the properties and relationships of a passive dns record object microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security passivednsrecord get?view=graph rest 1 0\&tabs=http get ssl certificate get the properties and relationships of an ssl certificate object microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security sslcertificate get?view=graph rest 1 0\&tabs=http get whois history record get whois history record microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security whoishistoryrecord get?view=graph rest 1 0 get whois record by host id to get the current whois record for the specified host microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security whoisrecord get?view=graph rest 1 0\&tabs=http get whois record by whois record id get the specified whois record resource by whois record id microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security whoisrecord get?view=graph rest 1 0\&tabs=http list host ssl certificates get a list of host ssl certificate objects from the host navigation property microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security host list sslcertificates?view=graph rest 1 0\&tabs=http list related hosts get a list of related host resources associated with an ssl certificate microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security sslcertificate list relatedhosts?view=graph rest 1 0\&tabs=http list ssl certificates get a list of ssl certificate objects and their properties microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security threatintelligence list sslcertificates?view=graph rest 1 0\&tabs=http list whois history records by host id get the history for a whois record, as represented by a collection of whoishistoryrecord resources microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security whoisrecord list history?view=graph rest 1 0\&tabs=http list whois history records by id get the history for a whois record, as represented by a collection of whois history record resources microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security whoisrecord list history?view=graph rest 1 0\&tabs=http list whois records get a list of whois record objects microsoft defender threat intelligence documentation for this action can be found https //learn microsoft com/en us/graph/api/security threatintelligence list whoisrecords?view=graph rest 1 0\&tabs=http configurations ms defender threat intelligence oauth client creds authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url must start with https //login microsoftonline com/ and then continue with the tenant id, and then be prepended with /oauth2/v2 0/token string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get host ssl certificate retrieve properties and relationships of a specific host ssl certificate in microsoft defender threat intelligence using the certificate id endpoint url /v1 0/security/threatintelligence/hostsslcertificates/{{hostsslcertificateid}} method get input argument name type required description path parameters hostsslcertificateid string required the host ssl certificate id parameters $count boolean optional retrieves the total count of matching resources parameters $orderby array optional orders results parameters $select string optional returns results based on search criteria parameters $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results parameters $top number optional sets the page size of results input example {"parameters" {"$count"\ true,"$orderby" \[""],"$select" "","$skip" 15,"$top" 10},"path parameters" {"hostsslcertificateid" "y29udg9zby5jb20xntuwmgzioty1nte1mdvmmwvkyji0zgqzyjm2zmnmzmrinzy1odmzyjgxmtg="}} output parameter type description status code number http status code of the response reason string response reason phrase value object value for the parameter value id string unique identifier value firstseendatetime string value for the parameter value lastseendatetime string value for the parameter value ports array value for the parameter value ports port number value for the parameter value ports firstseendatetime string value for the parameter value ports lastseendatetime string value for the parameter value host object value for the parameter value host \@odata type string response data value host id string unique identifier value sslcertificate object value for the parameter value sslcertificate \@odata context string response data value sslcertificate id string unique identifier value sslcertificate firstseendatetime string value for the parameter value sslcertificate lastseendatetime string value for the parameter value sslcertificate fingerprint string value for the parameter value sslcertificate sslversion string value for the parameter value sslcertificate expirationdatetime string value for the parameter value sslcertificate issuedatetime string value for the parameter value sslcertificate sha1 string value for the parameter value sslcertificate serialnumber string value for the parameter value sslcertificate subject object value for the parameter output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni get passive dns record retrieve details and relationships of a specific passive dns record object in microsoft defender threat intelligence using the record id endpoint url /v1 0/security/threatintelligence/passivednsrecords/{{passivednsrecordid}} method get input argument name type required description path parameters passivednsrecordid string required the passive dns record id parameters $count boolean optional retrieves the total count of matching resources parameters $orderby array optional orders results parameters $search string optional returns results based on search criteria parameters $select string optional filters properties (columns) parameters $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results parameters $top number optional sets the page size of results parameters $expand array optional retrieves related resources parameters $format string optional returns the results in the specified media format parameters $filter string optional filters results (rows) input example {"parameters" {"$count"\ true,"$orderby" \[""],"$search" "","$select" "","$skip" 15,"$top" 10,"$expand" \["children"],"$format" "json","$filter" ""},"path parameters" {"passivednsrecordid" "y29udg9zby5jb20kjdiwljewmy44ns4zmyqkzmfsc2u="}} output parameter type description status code number http status code of the response reason string response reason phrase value object value for the parameter value \@odata type string response data value id string unique identifier value firstseendatetime string value for the parameter value lastseendatetime string value for the parameter value collecteddatetime string value for the parameter value recordtype string type of the resource value parenthost object value for the parameter value parenthost id string unique identifier value artifact object value for the parameter value artifact \@odata type string response data value artifact id string unique identifier output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni get ssl certificate retrieve properties and relationships of an ssl certificate object in microsoft defender threat intelligence using the sslcertificateid endpoint url /v1 0/security/threatintelligence/sslcertificates/{{sslcertificateid}} method get input argument name type required description path parameters sslcertificateid string required the ssl certificate id parameters $count boolean optional retrieves the total count of matching resources parameters $orderby array optional orders results parameters $search string optional returns results based on search criteria parameters $select string optional filters properties (columns) parameters $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results parameters $top number optional sets the page size of results input example {"parameters" {"$count"\ true,"$orderby" \[""],"$search" "","$select" "","$skip" 15,"$top" 10},"path parameters" {"sslcertificateid" "zmi5nju1mtuwnwyxzwrimjrkzdnimzzmy2zmzgi3nju4mzniodexoa=="}} output parameter type description status code number http status code of the response reason string response reason phrase value object value for the parameter value id string unique identifier value firstseendatetime string value for the parameter value lastseendatetime string value for the parameter value fingerprint string value for the parameter value sslversion string value for the parameter value expirationdatetime string value for the parameter value issuedatetime string value for the parameter value sha1 string value for the parameter value serialnumber string value for the parameter value subject object value for the parameter value subject commonname string name of the resource value subject address object value for the parameter value subject address city string value for the parameter value subject address countryorregion string value for the parameter value subject address postalcode object value for the parameter value subject address postofficebox object value for the parameter value subject address state string value for the parameter value subject address street object value for the parameter value subject email object value for the parameter value subject givenname object name of the resource value subject organizationname string name of the resource value subject organizationunitname object name of the resource output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni get whois history record retrieve the history record for a domain's whois information using its unique identifier in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/whoishistoryrecord/{{whoishistoryrecordid}} method get input argument name type required description path parameters whoishistoryrecordid string required the whois history record id parameters $select string optional select is supported to limit the properties returned in this query input example {"path parameters" {"whoishistoryrecordid" "y29udg9zby5jb20kjdy5njq3odeymdc3ndy1nzi0mzm="}} output parameter type description status code number http status code of the response reason string response reason phrase @odata type string response data id string unique identifier expirationdatetime string time value registrationdatetime string time value firstseendatetime object time value lastseendatetime object time value lastupdatedatetime string time value billing object output field billing noc object output field noc zone object output field zone whoisserver string output field whoisserver domainstatus string status value rawwhoistext string output field rawwhoistext abuse object output field abuse abuse email string output field abuse email abuse name object name of the resource abuse organization object output field abuse organization abuse telephone string output field abuse telephone abuse fax object output field abuse fax abuse address object output field abuse address abuse address city object output field abuse address city abuse address countryorregion object output field abuse address countryorregion abuse address postalcode object output field abuse address postalcode output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni get whois record by host id retrieve the current whois record for a specified host using its unique identifier, requiring the hostid as a path parameter endpoint url /v1 0/security/threatintelligence/hosts/{{hostid}}/whois method get input argument name type required description path parameters hostid string required the host id parameters $select string optional select is supported to limit the properties returned in this query input example {"path parameters" {"hostid" "contoso com"}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier expirationdatetime string time value registrationdatetime string time value firstseendatetime object time value lastseendatetime object time value lastupdatedatetime string time value billing object output field billing noc object output field noc zone object output field zone whoisserver string output field whoisserver domainstatus string status value rawwhoistext string output field rawwhoistext abuse object output field abuse abuse email string output field abuse email abuse name object name of the resource abuse organization object output field abuse organization abuse telephone string output field abuse telephone abuse fax object output field abuse fax abuse address object output field abuse address abuse address city object output field abuse address city abuse address countryorregion object output field abuse address countryorregion abuse address postalcode object output field abuse address postalcode output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni get whois record by whois record id retrieve a specific whois record resource using the provided whois record id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/whoisrecords/{{whoisrecordid}} method get input argument name type required description path parameters whoisrecordid string required the whois record id parameters $select string optional select is supported to limit the properties returned in this query input example {"path parameters" {"whoisrecordid" "y29udg9zby5jb20kjdy5njq3odeymdc3ndy1nzi0mzm="}} output parameter type description status code number http status code of the response reason string response reason phrase @odata type string response data id string unique identifier expirationdatetime string time value registrationdatetime string time value firstseendatetime object time value lastseendatetime object time value lastupdatedatetime string time value billing object output field billing noc object output field noc zone object output field zone whoisserver string output field whoisserver domainstatus string status value rawwhoistext string output field rawwhoistext abuse object output field abuse abuse email string output field abuse email abuse name object name of the resource abuse organization object output field abuse organization abuse telephone string output field abuse telephone abuse fax object output field abuse fax abuse address object output field abuse address abuse address city object output field abuse address city abuse address countryorregion object output field abuse address countryorregion abuse address postalcode object output field abuse address postalcode output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni list host ssl certificates retrieve a list of ssl certificate objects associated with a given host id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/hosts/{{hostid}}/sslcertificates method get input argument name type required description path parameters hostid string required the host id parameters $count boolean optional retrieves the total count of matching resources parameters $orderby array optional orders results parameters $select string optional returns results based on search criteria parameters $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results parameters $top number optional sets the page size of results input example {"parameters" {"$count"\ true,"$orderby" \[""],"$select" "","$skip" 15,"$top" 10},"path parameters" {"hostid" "contoso com"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value id string unique identifier value firstseendatetime string value for the parameter value lastseendatetime string value for the parameter value ports array value for the parameter value ports port number value for the parameter value ports firstseendatetime string value for the parameter value ports lastseendatetime string value for the parameter value host object value for the parameter value host \@odata type string response data value host id string unique identifier value sslcertificate object value for the parameter value sslcertificate \@odata context string response data value sslcertificate id string unique identifier value sslcertificate firstseendatetime string value for the parameter value sslcertificate lastseendatetime string value for the parameter value sslcertificate fingerprint string value for the parameter value sslcertificate sslversion string value for the parameter value sslcertificate expirationdatetime string value for the parameter value sslcertificate issuedatetime string value for the parameter value sslcertificate sha1 string value for the parameter value sslcertificate serialnumber string value for the parameter value sslcertificate subject object value for the parameter output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni list related hosts retrieve a list of host resources related to a specified ssl certificate id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/sslcertificates/{{sslcertificateid}}/relatedhosts method get input argument name type required description path parameters sslcertificateid string required the ssl certificate id parameters $count boolean optional retrieves the total count of matching resources parameters $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results parameters $top number optional sets the page size of results input example {"parameters" {"$count"\ true,"$skip" 15,"$top" 10},"path parameters" {"sslcertificateid" "mdjjodmzndizyzywotiznjm1yta0otrhmmi2nthjywm5ndfmm2fmma=="}} output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter value \@odata type string response data value id string unique identifier value firstseendatetime object value for the parameter value lastseendatetime object value for the parameter value countryorregion object value for the parameter value netblock object value for the parameter value autonomoussystem object value for the parameter value hostingprovider object unique identifier output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni list ssl certificates retrieve a list of ssl certificate objects with their properties from microsoft defender threat intelligence using search parameters endpoint url /v1 0/security/threatintelligence/sslcertificates method get input argument name type required description parameters $count boolean optional returns a holistic count of the number of ssl certificate objects parameters $orderby array optional supports some properties of the ssl certificate resource parameters $search string required currently supports searching by only one property in a call do not include any colon (' ') in the search string; simply remove any colon from the property value in the search string, if it exists parameters $select string optional limits the properties returned in this query parameters $skip number optional skips over elements in pages you can combine with $top to perform pagination or use the url returned in @odata nextlink for server side pagination parameters $top number optional limits the number of elements per page you can combine with $skip to perform pagination or use the url returned in @odata nextlink for server side pagination input example {"parameters" {"$count"\ true,"$orderby" \["firstseendatetime desc"],"$search" "issuer/commonname\ contoso","$select" "","$skip" 15,"$top" 10}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value id string unique identifier value firstseendatetime string value for the parameter value lastseendatetime string value for the parameter value fingerprint string value for the parameter value sslversion string value for the parameter value expirationdatetime string value for the parameter value issuedatetime string value for the parameter value sha1 string value for the parameter value serialnumber string value for the parameter value subject object value for the parameter value subject commonname string name of the resource value subject address object value for the parameter value subject address city string value for the parameter value subject address countryorregion string value for the parameter value subject address postalcode object value for the parameter value subject address postofficebox object value for the parameter value subject address state string value for the parameter value subject address street object value for the parameter value subject email object value for the parameter value subject givenname object name of the resource value subject organizationname string name of the resource value subject organizationunitname object name of the resource output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni list whois history records by host id retrieve the whois record history for a specified host id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/hosts/{{hostid}}/whois/history method get input argument name type required description path parameters hostid string required the host id parameters $count boolean optional count is supported to return a holistic count of the number of whoishistoryrecord objects parameters $select string optional select is supported to limit the properties returned in this query parameters $skip number optional skip is supported to skip over elements in pages combine with $top to perform pagination or use the @odata nextlink for server side pagination parameters $top number optional top is supported to limit the number of elements per page combine with $skip to perform pagination or use the @odata nextlink for server side pagination input example {"parameters" {"$count"\ true,"$select" "","$skip" 15,"$top" 10},"path parameters" {"hostid" "contoso com"}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value \@odata type string response data value id string unique identifier value expirationdatetime string value for the parameter value registrationdatetime string value for the parameter value firstseendatetime object value for the parameter value lastseendatetime object value for the parameter value lastupdatedatetime string value for the parameter value billing object value for the parameter value noc object value for the parameter value zone object value for the parameter value whoisserver string value for the parameter value domainstatus string status value value rawwhoistext string value for the parameter value abuse object value for the parameter value abuse email string value for the parameter value abuse name object name of the resource value abuse organization object value for the parameter value abuse telephone string value for the parameter value abuse fax object value for the parameter value abuse address object value for the parameter value abuse address city object value for the parameter value abuse address countryorregion object value for the parameter output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni list whois history records by id retrieve the historical whois record data for a given id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/whoisrecords/{{id}}/history method get input argument name type required description path parameters id string required parameters for the list whois history records by id action parameters $count boolean optional count is supported to return a holistic count of the number of whoishistoryrecord objects parameters $select string optional select is supported to limit the properties returned in this query parameters $skip number optional skip is supported to skip over elements in pages combine with $top to perform pagination or use the @odata nextlink for server side pagination parameters $top number optional top is supported to limit the number of elements per page combine with $skip to perform pagination or use the @odata nextlink for server side pagination input example {"parameters" {"$count"\ true,"$select" "","$skip" 15,"$top" 10}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value \@odata type string response data value id string unique identifier value expirationdatetime string value for the parameter value registrationdatetime string value for the parameter value firstseendatetime object value for the parameter value lastseendatetime object value for the parameter value lastupdatedatetime string value for the parameter value billing object value for the parameter value noc object value for the parameter value zone object value for the parameter value whoisserver string value for the parameter value domainstatus string status value value rawwhoistext string value for the parameter value abuse object value for the parameter value abuse email string value for the parameter value abuse name object name of the resource value abuse organization object value for the parameter value abuse telephone string value for the parameter value abuse fax object value for the parameter value abuse address object value for the parameter value abuse address city object value for the parameter value abuse address countryorregion object value for the parameter output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni list whois records retrieve a list of whois record objects from microsoft defender threat intelligence using search parameters endpoint url /v1 0/security/threatintelligence/whoisrecords method get input argument name type required description parameters $count boolean optional count is supported to return a holistic count of the number of whois record objects parameters $orderby array optional orderby supports some properties of the whois record resource parameters $search string required search is required in the request url of this api the api currently only supports searching by one field in a call parameters $select string optional select is supported to limit the properties returned in this query parameters $skip number optional skip is supported to skip over elements in pages combine with $top to perform pagination or use the @odata nextlink for server side pagination parameters $top number optional top is supported to limit the number of elements per page combine with $skip to perform pagination or use the @odata nextlink for server side pagination input example {"parameters" {"$count"\ true,"$orderby" \["registrationdatetime desc"],"$search" "admin/address/state\ wa","$select" "","$skip" 15,"$top" 10}} output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter value \@odata type string response data value id string unique identifier value expirationdatetime string value for the parameter value registrationdatetime string value for the parameter value firstseendatetime object value for the parameter value lastseendatetime object value for the parameter value lastupdatedatetime string value for the parameter value billing object value for the parameter value noc object value for the parameter value zone object value for the parameter value whoisserver string value for the parameter value domainstatus string status value value rawwhoistext string value for the parameter value abuse object value for the parameter value abuse email string value for the parameter value abuse name object name of the resource value abuse organization object value for the parameter value abuse telephone string value for the parameter value abuse fax object value for the parameter value abuse address object value for the parameter value abuse address city object value for the parameter value abuse address countryorregion object value for the parameter output example {"status code" 200,"response headers" {"cache control" "no store, must revalidate, no cache, max age=0","pragma" "no cache","transfer encoding" "chunked","content type" "application/json","content encoding" "gzip","expires" "0","strict transport security" "max age=31536000","request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301","x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleuni response headers header description example cache control directives for caching mechanisms no store, must revalidate, no cache, max age=0 client request id http response header client request id 33e59775 3b6f 4cf1 86a8 8a3cb1c4e301 content encoding http response header content encoding gzip content type the media type of the resource application/json date the date and time at which the message was originated thu, 17 oct 2024 12 51 44 gmt expires the date/time after which the response is considered stale 0 pragma http response header pragma no cache request id http response header request id 33e59775 3b6f 4cf1 86a8 8a3cb1c4e301 strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked vary http response header vary origin,access control request method,access control request headers, accept encoding x content type options http response header x content type options nosniff x ms ags diagnostic http response header x ms ags diagnostic {"serverinfo" {"datacenter" "central india","slice" "e","ring" "3","scaleunit" "001","roleinstance" "pn3pepf000003cb"}}