# **Microsoft Defender Threat Intelligence**

## Jupyter NoteBook Demo for GBBs to present MDTI Graph API

##### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.

##### Microsoft processes over 65-trillion signals every day. The key to operationalizing threat intelligence is to make it not just applicable, but actionable. Combined with AI and the expertise of 8,500 dedicated security professionals, this wealth of external telemetry and signal data is wrangled into immediately actionable insights.

#  What Data can you obtain using the MDTI Graph API:
- Reputation Scoring. Dynamically calculated severity scoring for IP addresses, domains, and hosts based on real-world threats and observations.
- Components
- Trackers
- Threat Intel Article
- Intel Profiles
- Vulnerability

_____________________________________________________________
# Get a Token from Azure Active Directory


#### Get the Client Secret and set to an environment variable
##### This example is primarly used for VSCode and the client_Secret is in a text file in the folder, not exposed to anyone viewing.
##### If you are going to use this Notebook in Azure Machine Learning, you will need to set up a secure string or a key vault.

In [None]:
import os

# Read the client secret from a text file
with open("client_secret.txt", "r") as f:
    client_secret = f.read().strip()

# Set the client secret as an environment variable
os.environ["CLIENT_SECRET"] = client_secret

#### Get the Token with this cell

In [None]:
from msal import ConfidentialClientApplication

# Azure AD application credentials
client_id = ""
# If you are not using a secure string or key vault, you will need to un-comment the line below and add the secret there.
# client_secret = ""
tenant_id = ""


# Create a ConfidentialClientApplication object
app = ConfidentialClientApplication(
    client_id=client_id,
    client_credential=client_secret,
    authority=f"https://login.microsoftonline.com/{tenant_id}",
)

# Get a token from Azure AD
result = None
scopes = ["https://graph.microsoft.com/.default"]
result = app.acquire_token_silent(scopes=scopes, account=None)

if not result:
    result = app.acquire_token_for_client(scopes=scopes)

# Get the access token
access_token = result["access_token"]

# Print the access token
print("Access Token:", access_token)


_____________________________________________________________
# Start Calling Graph APIs with different parameters

In [None]:
# Prompt user to enter Domain name or IP Address to investigate
entity_ID = input("Enter the Domain or IP Address you want to investigate: ")

print("The Domain Name or IP Address to be investigated is: " + entity_ID)

### Calling Graph API for Host Information 

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = f"https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{entity_ID}"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Print response content as JSON
    print(json.dumps(json.loads(response.content), indent=4))


### Calling Graph API Reputation 

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = f"https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{entity_ID}/reputation"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Print response content as JSON
    print(json.dumps(json.loads(response.content), indent=4))


### Calling Graph API for Reputation - Return only Reputation Class, Score and Rules triggered

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{entity_ID}/reputation"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Parse response content as JSON
    json_response = json.loads(response.content)
    
    # Check if the response contains the word "suspicious"
    is_suspicious = any("suspicious" in rule.get("classification", "") for rule in json_response.get("rules", []))
    
    # Print classification, score, and rules
    print(f"Classification: {json_response['classification']}")
    print(f"Score: {json_response['score']}")
    print("Rules:")
    for rule in json_response.get("rules", []):
        if is_suspicious:
            print(f"\x1b[41m\x1b[37mSUSPICIOUS SITE\x1b[0m: {rule.get('name', '')}")
        else:
            print(f"{rule.get('name', '')}")


### Calling Graph API Components 

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = f"https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{entity_ID}/components"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Print response content as JSON
    print(json.dumps(json.loads(response.content), indent=4))


### Calling Graph API Cookies

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = f"https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{entity_ID}/cookies"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Print response content as JSON
    print(json.dumps(json.loads(response.content), indent=4))


### Calling Graph API Trackers

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{entity_ID}/trackers?count=true"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Print response content as JSON
    print(json.dumps(json.loads(response.content), indent=4))


_____________________________________________________________
### Calling Graph API to get Article

#### Enter the Article ID for the article you wish to query for

In [None]:
# Prompt user to enter article ID
articleId = input("Enter the article ID: ")

print(articleId)

#### Graph API Call for the Article Requested

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = "https://graph.microsoft.com/beta/security/threatIntelligence/articles/{articleId}"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Print response content as JSON
    print(json.dumps(json.loads(response.content), indent=4))


_____________________________________________________________
### Graph API call for Intel Profile

#### Get the Profile Id

In [None]:
# Prompt user to enter article ID
ProfileId = input("Enter the Profile ID: ")

print(ProfileId)

#### Graph API Call to return Intel Profile Requested

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = "https://graph.microsoft.com/beta/security/threatIntelligence/intelProfiles/{ProfileId}"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Print response content as JSON
    print(json.dumps(json.loads(response.content), indent=4))


_____________________________________________________________
### Graph API Query for Vulnerability

#### Get the Vulnerability to query for

In [None]:
# Prompt user to enter article ID
VulnId = input("Enter the article ID: ")

print(VulnID)

#### API Call to return the Vulnerability information for request

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = "https://graph.microsoft.com/beta/security/threatIntelligence/vulnerabilities/{VulnId}"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Print response content as JSON
    print(json.dumps(json.loads(response.content), indent=4))


#### For trouble shooting, will return header information with the expected output

In [None]:
import requests
import json

# Graph API base URL
graph_api_base_url = "https://graph.microsoft.com/beta/security/threatIntelligence/hosts/062fe.com/reputation"

# Create headers with Authorization token
headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

# Send GET request to Graph API endpoint
response = requests.get(graph_api_base_url, headers=headers)

# Check for HTTP errors
try:
    response.raise_for_status()
except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
except Exception as err:
    print(f"Other error occurred: {err}")
else:
    # Print response headers
    print("Response Headers:")
    print("-----------------")
    for header, value in response.headers.items():
        print(f"{header}: {value}")
    print()

    # Print response content as JSON
    print("Response Content:")
    print("-----------------")
    print(json.dumps(json.loads(response.content), indent=4))
