Microsoft defender threat intelligence

the microsoft defender threat intelligence connector enables automated access to threat intelligence data, facilitating proactive cybersecurity measures microsoft defender threat intelligence offers a comprehensive suite of threat detection and analysis tools this connector enables swimlane turbine users to integrate with microsoft's threat intelligence capabilities, allowing for the retrieval and analysis of ssl certificates, passive dns records, and whois information by leveraging this integration, security teams can enhance their threat detection and response workflows, gaining access to microsoft's rich threat intelligence data directly within swimlane turbine playbooks limitations when using $filter and $orderby in the same query to get messages, make sure to specify properties in the following ways properties that appear in $orderby must also appear in $filter properties that appear in $orderby are in the same order as in $filter properties that are present in $orderby appear in $filter before any properties that aren't failing to do this results in the following error error code inefficientfilter error message the restriction or sort order is too complex for this operation supported versions this microsoft defender threat intelligence connector uses the version 1 0 api additional docs microsoft defender threat intelligence authentication link https //learn microsoft com/en us/graph/auth/auth conceptsmicrosoft defender threat intelligence api documentation https //learn microsoft com/en us/graph/api/resources/security threatintelligence overview?view=graph rest 1 0microsoft defender threat intelligence permissions link https //learn microsoft com/en us/graph/permissions overview?tabs=httpazure ad oauth2 flow https //docs microsoft com/en us/azure/active directory/develop/v1 protocols oauth code configuration prerequisites to effectively utilize the microsoft defender threat intelligence connector within swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for secure authentication, which include url endpoint url for api access client id unique identifier for the application making the request client secret a secret key known only to the application and the authorization server token url endpoint url to obtain the access token scope permissions the application requires client credential flow authentication authentication uses azure application oauth2 you will need an admin account in azure to create the application recommended application permissions (feel free use custom permissions if you only use certain actions) threatintelligence read all in order to set up the asset, you need the following azure application client id azure application client secret azure tenant id steps to create the azure app go to the app registration page https //portal azure com/#blade/microsoft aad registeredapps/applicationslistblade in the azure portal click new registration enter a name for your new application and choose accounts in this organizational directory only , then click register at the bottom navigate to the api permissions tab on the left navigation menu select add a permission select microsoft graph select application permissions , then mark all the permissions you need for the actions you are using (see suggested permissions at the top of the asset setup section) click the add permissions button at the bottom of the page select grant admin consent for your organization, then your permissions should look as below navigate to the certificates & secrets tab and select new client secret fill out the description and expiration, then click the add button at the bottom the value of the secret you just created is the client secret needed for the swimlane asset navigate to the overview tab on the left menu the client id and tenant id needed in the asset are shown on this page the client id , tenant id , and client secret described in the steps above are the credentials you need for the asset authentication methods oauth 2 0 client credentials to effectively utilize the microsoft defender threat intelligence connector within swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials authentication with the following parameters url endpoint for the microsoft defender threat intelligence api client id unique identifier for the application seeking access client secret a secret known only to the application and the authorization server token url endpoint to obtain the oauth 2 0 tokens scope permissions the application requires capabilities this microsoft defender threat intelligence connector provides the following capabilities get host ssl certificate get passive dns record get ssl certificate get whois history record get whois record by host id get whois record by whois record id list host ssl certificates list related hosts list ssl certificates list whois history records by host id list whois history records by id list whois records get host ssl certificate get the properties and relationships of a host ssl certificate object microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security hostsslcertificate get?view=graph rest 1 0\&tabs=http get passive dns record read the properties and relationships of a passive dns record object microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security passivednsrecord get?view=graph rest 1 0\&tabs=http get ssl certificate get the properties and relationships of an ssl certificate object microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security sslcertificate get?view=graph rest 1 0\&tabs=http get whois history record get whois history record microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security whoishistoryrecord get?view=graph rest 1 0 get whois record by host id to get the current whois record for the specified host microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security whoisrecord get?view=graph rest 1 0\&tabs=http get whois record by whois record id get the specified whois record resource by whois record id microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security whoisrecord get?view=graph rest 1 0\&tabs=http list host ssl certificates get a list of host ssl certificate objects from the host navigation property microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security host list sslcertificates?view=graph rest 1 0\&tabs=http list related hosts get a list of related host resources associated with an ssl certificate microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security sslcertificate list relatedhosts?view=graph rest 1 0\&tabs=http list ssl certificates get a list of ssl certificate objects and their properties microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security threatintelligence list sslcertificates?view=graph rest 1 0\&tabs=http list whois history records by host id get the history for a whois record, as represented by a collection of whoishistoryrecord resources microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security whoisrecord list history?view=graph rest 1 0\&tabs=http list whois history records by id get the history for a whois record, as represented by a collection of whois history record resources microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security whoisrecord list history?view=graph rest 1 0\&tabs=http list whois records get a list of whois record objects microsoft defender threat intelligence documentation for this action can be found here https //learn microsoft com/en us/graph/api/security threatintelligence list whoisrecords?view=graph rest 1 0\&tabs=http configurations ms defender threat intelligence oauth client creds authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url must start with https //login microsoftonline com/ https //login microsoftonline com/ and then continue with the tenant id, and then be prepended with /oauth2/v2 0/token string required client id the client id string required client secret the client secret string required scope list of permission scopes for this action array required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get host ssl certificate retrieve properties and relationships of a specific host ssl certificate in microsoft defender threat intelligence using the certificate id endpoint url /v1 0/security/threatintelligence/hostsslcertificates/{{hostsslcertificateid}} method get input argument name type required description hostsslcertificateid string required the host ssl certificate id $count boolean optional retrieves the total count of matching resources $orderby array optional orders results $select string optional returns results based on search criteria $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results $top number optional sets the page size of results output parameter type description status code number http status code of the response reason string response reason phrase value object value for the parameter id string unique identifier firstseendatetime string time value lastseendatetime string time value ports array output field ports port number output field port firstseendatetime string time value lastseendatetime string time value host object output field host @odata type string response data id string unique identifier sslcertificate object output field sslcertificate @odata context string response data id string unique identifier firstseendatetime string time value lastseendatetime string time value fingerprint string output field fingerprint sslversion string output field sslversion expirationdatetime string time value issuedatetime string time value sha1 string output field sha1 serialnumber string output field serialnumber subject object output field subject example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "value" {} } } ] get passive dns record retrieve details and relationships of a specific passive dns record object in microsoft defender threat intelligence using the record id endpoint url /v1 0/security/threatintelligence/passivednsrecords/{{passivednsrecordid}} method get input argument name type required description passivednsrecordid string required the passive dns record id $count boolean optional retrieves the total count of matching resources $orderby array optional orders results $search string optional returns results based on search criteria $select string optional filters properties (columns) $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results $top number optional sets the page size of results $expand array optional retrieves related resources $format string optional returns the results in the specified media format $filter string optional filters results (rows) output parameter type description status code number http status code of the response reason string response reason phrase value object value for the parameter @odata type string response data id string unique identifier firstseendatetime string time value lastseendatetime string time value collecteddatetime string time value recordtype string type of the resource parenthost object output field parenthost id string unique identifier artifact object output field artifact @odata type string response data id string unique identifier example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "value" {} } } ] get ssl certificate retrieve properties and relationships of an ssl certificate object in microsoft defender threat intelligence using the sslcertificateid endpoint url /v1 0/security/threatintelligence/sslcertificates/{{sslcertificateid}} method get input argument name type required description sslcertificateid string required the ssl certificate id $count boolean optional retrieves the total count of matching resources $orderby array optional orders results $search string optional returns results based on search criteria $select string optional filters properties (columns) $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results $top number optional sets the page size of results output parameter type description status code number http status code of the response reason string response reason phrase value object value for the parameter id string unique identifier firstseendatetime string time value lastseendatetime string time value fingerprint string output field fingerprint sslversion string output field sslversion expirationdatetime string time value issuedatetime string time value sha1 string output field sha1 serialnumber string output field serialnumber subject object output field subject commonname string name of the resource address object output field address city string output field city countryorregion string output field countryorregion postalcode object output field postalcode postofficebox object output field postofficebox state string output field state street object output field street email object output field email givenname object name of the resource organizationname string name of the resource organizationunitname object name of the resource example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "value" {} } } ] get whois history record retrieve the history record for a domain's whois information using its unique identifier in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/whoishistoryrecord/{{whoishistoryrecordid}} method get input argument name type required description whoishistoryrecordid string required the whois history record id $select string optional select is supported to limit the properties returned in this query output parameter type description status code number http status code of the response reason string response reason phrase @odata type string response data id string unique identifier expirationdatetime string time value registrationdatetime string time value firstseendatetime object time value lastseendatetime object time value lastupdatedatetime string time value billing object output field billing noc object output field noc zone object output field zone whoisserver string output field whoisserver domainstatus string status value rawwhoistext string output field rawwhoistext abuse object output field abuse email string output field email name object name of the resource organization object output field organization telephone string output field telephone fax object output field fax address object output field address city object output field city countryorregion object output field countryorregion postalcode object output field postalcode example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "@odata type" "#microsoft graph security whoishistoryrecord", "id" "y29udg9zby5jb20kjdy5njq3odeymdc3ndy1nzi0mzm=", "expirationdatetime" "2023 08 31t00 00 00z", "registrationdatetime" "2022 07 30t09 43 19z", "firstseendatetime" null, "lastseendatetime" null, "lastupdatedatetime" "2023 06 24t08 34 15 984z", "billing" null, "noc" null, "zone" null, "whoisserver" "rdap markmonitor com", "domainstatus" "client update prohibited,client transfer prohibited,client delete prohibited", "rawwhoistext" "registrar \n handle 1891582 domain com vrsn\n ldh name contoso com\n nameserv ", "abuse" {}, "admin" {} } } ] get whois record by host id retrieve the current whois record for a specified host using its unique identifier, requiring the hostid as a path parameter endpoint url /v1 0/security/threatintelligence/hosts/{{hostid}}/whois method get input argument name type required description hostid string required the host id $select string optional select is supported to limit the properties returned in this query output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data id string unique identifier expirationdatetime string time value registrationdatetime string time value firstseendatetime object time value lastseendatetime object time value lastupdatedatetime string time value billing object output field billing noc object output field noc zone object output field zone whoisserver string output field whoisserver domainstatus string status value rawwhoistext string output field rawwhoistext abuse object output field abuse email string output field email name object name of the resource organization object output field organization telephone string output field telephone fax object output field fax address object output field address city object output field city countryorregion object output field countryorregion postalcode object output field postalcode example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "@odata context" "https //graph microsoft com/v1 0/$metadata#microsoft graph security whoisrecord", "id" "y29udg9zby5jb20kjdy5njq3odeymdc3ndy1nzi0mzm=", "expirationdatetime" "2023 08 31t00 00 00z", "registrationdatetime" "2022 07 30t09 43 19z", "firstseendatetime" null, "lastseendatetime" null, "lastupdatedatetime" "2023 06 24t08 34 15 984z", "billing" null, "noc" null, "zone" null, "whoisserver" "rdap markmonitor com", "domainstatus" "client update prohibited,client transfer prohibited,client delete prohibited", "rawwhoistext" "registrar \n handle 1891582 domain com vrsn\n ldh name contoso com\n nameserv ", "abuse" {}, "admin" {} } } ] get whois record by whois record id retrieve a specific whois record resource using the provided whois record id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/whoisrecords/{{whoisrecordid}} method get input argument name type required description whoisrecordid string required the whois record id $select string optional select is supported to limit the properties returned in this query output parameter type description status code number http status code of the response reason string response reason phrase @odata type string response data id string unique identifier expirationdatetime string time value registrationdatetime string time value firstseendatetime object time value lastseendatetime object time value lastupdatedatetime string time value billing object output field billing noc object output field noc zone object output field zone whoisserver string output field whoisserver domainstatus string status value rawwhoistext string output field rawwhoistext abuse object output field abuse email string output field email name object name of the resource organization object output field organization telephone string output field telephone fax object output field fax address object output field address city object output field city countryorregion object output field countryorregion postalcode object output field postalcode example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "@odata type" "#microsoft graph security whoisrecord", "id" "y29udg9zby5jb20kjdy5njq3odeymdc3ndy1nzi0mzm=", "expirationdatetime" "2023 08 31t00 00 00z", "registrationdatetime" "2022 07 30t09 43 19z", "firstseendatetime" null, "lastseendatetime" null, "lastupdatedatetime" "2023 06 24t08 34 15 984z", "billing" null, "noc" null, "zone" null, "whoisserver" "rdap markmonitor com", "domainstatus" "client update prohibited,client transfer prohibited,client delete prohibited", "rawwhoistext" "registrar \n handle 1891582 domain com vrsn\n ldh name contoso com\n nameserv ", "abuse" {}, "admin" {} } } ] list host ssl certificates retrieve a list of ssl certificate objects associated with a given host id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/hosts/{{hostid}}/sslcertificates method get input argument name type required description hostid string required the host id $count boolean optional retrieves the total count of matching resources $orderby array optional orders results $select string optional returns results based on search criteria $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results $top number optional sets the page size of results output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier firstseendatetime string time value lastseendatetime string time value ports array output field ports port number output field port firstseendatetime string time value lastseendatetime string time value host object output field host @odata type string response data id string unique identifier sslcertificate object output field sslcertificate @odata context string response data id string unique identifier firstseendatetime string time value lastseendatetime string time value fingerprint string output field fingerprint sslversion string output field sslversion expirationdatetime string time value issuedatetime string time value sha1 string output field sha1 serialnumber string output field serialnumber subject object output field subject example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "value" \[] } } ] list related hosts retrieve a list of host resources related to a specified ssl certificate id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/sslcertificates/{{sslcertificateid}}/relatedhosts method get input argument name type required description sslcertificateid string required the ssl certificate id $count boolean optional retrieves the total count of matching resources $skip number optional indexes into a result set also used by some apis to implement paging and can be used together with $top to manually page results $top number optional sets the page size of results output parameter type description status code number http status code of the response reason string response reason phrase @odata context string response data value array value for the parameter @odata type string response data id string unique identifier firstseendatetime object time value lastseendatetime object time value countryorregion object output field countryorregion netblock object output field netblock autonomoussystem object output field autonomoussystem hostingprovider object unique identifier example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "@odata context" "https //graph microsoft com/v1 0/$metadata#collection(microsoft graph security h ", "value" \[] } } ] list ssl certificates retrieve a list of ssl certificate objects with their properties from microsoft defender threat intelligence using search parameters endpoint url /v1 0/security/threatintelligence/sslcertificates method get input argument name type required description $count boolean optional returns a holistic count of the number of ssl certificate objects $orderby array optional supports some properties of the ssl certificate resource $search string required currently supports searching by only one property in a call do not include any colon (' ') in the search string; simply remove any colon from the property value in the search string, if it exists $select string optional limits the properties returned in this query $skip number optional skips over elements in pages you can combine with $top to perform pagination or use the url returned in @odata nextlink for server side pagination $top number optional limits the number of elements per page you can combine with $skip to perform pagination or use the url returned in @odata nextlink for server side pagination output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter id string unique identifier firstseendatetime string time value lastseendatetime string time value fingerprint string output field fingerprint sslversion string output field sslversion expirationdatetime string time value issuedatetime string time value sha1 string output field sha1 serialnumber string output field serialnumber subject object output field subject commonname string name of the resource address object output field address city string output field city countryorregion string output field countryorregion postalcode object output field postalcode postofficebox object output field postofficebox state string output field state street object output field street email object output field email givenname object name of the resource organizationname string name of the resource organizationunitname object name of the resource example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "value" \[] } } ] list whois history records by host id retrieve the whois record history for a specified host id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/hosts/{{hostid}}/whois/history method get input argument name type required description hostid string required the host id $count boolean optional count is supported to return a holistic count of the number of whoishistoryrecord objects $select string optional select is supported to limit the properties returned in this query $skip number optional skip is supported to skip over elements in pages combine with $top to perform pagination or use the @odata nextlink for server side pagination $top number optional top is supported to limit the number of elements per page combine with $skip to perform pagination or use the @odata nextlink for server side pagination output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter @odata type string response data id string unique identifier expirationdatetime string time value registrationdatetime string time value firstseendatetime object time value lastseendatetime object time value lastupdatedatetime string time value billing object output field billing noc object output field noc zone object output field zone whoisserver string output field whoisserver domainstatus string status value rawwhoistext string output field rawwhoistext abuse object output field abuse email string output field email name object name of the resource organization object output field organization telephone string output field telephone fax object output field fax address object output field address city object output field city countryorregion object output field countryorregion example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "value" \[] } } ] list whois history records by id retrieve the historical whois record data for a given id in microsoft defender threat intelligence endpoint url /v1 0/security/threatintelligence/whoisrecords/{{id}}/history method get input argument name type required description id string required unique identifier $count boolean optional count is supported to return a holistic count of the number of whoishistoryrecord objects $select string optional select is supported to limit the properties returned in this query $skip number optional skip is supported to skip over elements in pages combine with $top to perform pagination or use the @odata nextlink for server side pagination $top number optional top is supported to limit the number of elements per page combine with $skip to perform pagination or use the @odata nextlink for server side pagination output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter @odata type string response data id string unique identifier expirationdatetime string time value registrationdatetime string time value firstseendatetime object time value lastseendatetime object time value lastupdatedatetime string time value billing object output field billing noc object output field noc zone object output field zone whoisserver string output field whoisserver domainstatus string status value rawwhoistext string output field rawwhoistext abuse object output field abuse email string output field email name object name of the resource organization object output field organization telephone string output field telephone fax object output field fax address object output field address city object output field city countryorregion object output field countryorregion example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "value" \[] } } ] list whois records retrieve a list of whois record objects from microsoft defender threat intelligence using search parameters endpoint url /v1 0/security/threatintelligence/whoisrecords method get input argument name type required description $count boolean optional count is supported to return a holistic count of the number of whois record objects $orderby array optional orderby supports some properties of the whois record resource $search string required search is required in the request url of this api the api currently only supports searching by one field in a call $select string optional select is supported to limit the properties returned in this query $skip number optional skip is supported to skip over elements in pages combine with $top to perform pagination or use the @odata nextlink for server side pagination $top number optional top is supported to limit the number of elements per page combine with $skip to perform pagination or use the @odata nextlink for server side pagination output parameter type description status code number http status code of the response reason string response reason phrase value array value for the parameter @odata type string response data id string unique identifier expirationdatetime string time value registrationdatetime string time value firstseendatetime object time value lastseendatetime object time value lastupdatedatetime string time value billing object output field billing noc object output field noc zone object output field zone whoisserver string output field whoisserver domainstatus string status value rawwhoistext string output field rawwhoistext abuse object output field abuse email string output field email name object name of the resource organization object output field organization telephone string output field telephone fax object output field fax address object output field address city object output field city countryorregion object output field countryorregion example \[ { "status code" 200, "response headers" { "cache control" "no store, must revalidate, no cache, max age=0", "pragma" "no cache", "transfer encoding" "chunked", "content type" "application/json", "content encoding" "gzip", "expires" "0", "strict transport security" "max age=31536000", "request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "client request id" "33e59775 3b6f 4cf1 86a8 8a3cb1c4e301", "x ms ags diagnostic" "{\\"serverinfo\\" {\\"datacenter\\" \\"central india\\",\\"slice\\" \\"e\\",\\"ring\\" \\"3\\",\\"scaleunit\\" \\" ", "x content type options" "nosniff", "vary" "origin,access control request method,access control request headers, accept enco ", "date" "thu, 17 oct 2024 12 51 44 gmt" }, "reason" "ok", "json body" { "value" \[] } } ] response headers header description example cache control directives for caching mechanisms no store, must revalidate, no cache, max age=0 client request id http response header client request id 33e59775 3b6f 4cf1 86a8 8a3cb1c4e301 content encoding http response header content encoding gzip content type the media type of the resource application/json date the date and time at which the message was originated thu, 17 oct 2024 12 51 44 gmt expires the date/time after which the response is considered stale 0 pragma http response header pragma no cache request id http response header request id 33e59775 3b6f 4cf1 86a8 8a3cb1c4e301 strict transport security http response header strict transport security max age=31536000 transfer encoding http response header transfer encoding chunked vary http response header vary origin,access control request method,access control request headers, accept encoding x content type options http response header x content type options nosniff x ms ags diagnostic http response header x ms ags diagnostic {"serverinfo" {"datacenter" "central india","slice" "e","ring" "3","scaleunit" "001","roleinstance" "pn3pepf000003cb"}}