# **Microsoft Defender Threat Intelligence**

## Jupyter NoteBook using the MDTI to return the Reputation DataSet.  There is an example of a single domain/ip address entity and then an example of a bulk Reputation return for classification as well as score.

#### Author: 
Dennis Mercer  
Sr Program Manager  
Microsoft CxE MDTI  

##### Microsoft Defender Threat Intelligence (MDTI) is a complete threat intelligence platform that enables security professionals to ingest, analyze and act upon trillions of signals collected from across the internet and processed by security experts and AI. MDTI allows users to uncover and understand the global threat landscape as it relates to their organization, including context around vulnerabilities, threat actors, and the threat infrastructure that might be used to attack them.

##### Microsoft processes over 65-trillion signals every day, which is used to populate the database which MDTI pulls datasets of threat intelligence. The key to operationalizing threat intelligence is to make it not just applicable, but actionable.   This notebook seeks to make threat intelligence actionable for SOC Analyst, Threat Hunters and Cyber Threat Intelligence Researchers.

##### With this Jupyter Notebook, you can call the Reputation Endpoint and return the reputation classification and score.   Additionally, you can use additional APIs to create additional datasets for your notebook.



_________________________________________________________________________________________________________________________________________________________
### You will need to install aiohttp and msal for the bulk Reputation request.

In [None]:
pip install aiohttp msal

________________________________________________________________________________________________________________________________________________________
### Import Statements for any potential calls within the cells below or any modifications that could be made to the source of the Typosquat Services

In [None]:
import os
import requests
import json
from azure.identity import ClientSecretCredential

### This cell will return the JSON response for a single entity (Domain or IP Address).

In [None]:
# Get the client secret from a local file
credential = ClientSecretCredential(
    tenant_id='Enter your TenantID',     # Tenant ID
    client_id='Enter your App ClientID', # ClientID from app registration 
    client_secret=  client_secret        # You should not leave the client secret exposed, delete the secret once you have used it or employ Key Vault
)

scopes = ['https://graph.microsoft.com/.default']  # Scopes or permissions required for API access

# Get the access token
access_token = credential.get_token('https://graph.microsoft.com/.default').token
# Prepare the request headers
headers = {
    'Authorization': 'Bearer ' + access_token,
    'Content-Type': 'application/json'
}

# Getting user input and making the Graph API call
hosts = input("Please enter the IP address or Domain Name (e.g., 'microsoft.com'): ")
ENDPOINT = f"https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts('{hosts}')/reputation"

response = requests.get(ENDPOINT, headers=headers)

if response.status_code == 200:
    data = response.json()
    print(json.dumps(data, indent=4))
else:
    print(f"Error {response.status_code}: {response.text}")
