ThreatIntelligence.Read.All
Allows the app to read threat intelligence information, such as indicators, observations, and articles, on behalf of the signed-in user.
Merill's Note
For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the
ThreatIntelligence.Read.Allpermission.If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the
Export-MsIdAppConsentGrantReportcommand. See How To: Run a quick OAuth app audit of your tenant
| Category | Application | Delegated |
|---|---|---|
| Identifier | e0b77adb-e790-44a3-b0a0-257d06303687 | f266d9c0-ccb9-4fb8-a228-01ac0d8d6627 |
| DisplayText | Read all Threat Intelligence Information | Read all threat intelligence information |
| Description | Allows the app to read threat intelligence information, such as indicators, observations, and and articles, without a signed in user. | Allows the app to read threat intelligence information, such as indicators, observations, and articles, on behalf of the signed-in user. |
| AdminConsentRequired | Yes | Yes |
Graph Methods
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)
| Methods | |
|---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)
| Commands | |
|---|---|
Resources
Granting this permission allows the calling application to access (and/or update) the following information in your tenant.
- article
- articleIndicator
- auditLogQuery
- host
- hostComponent
- hostCookie
- hostname
- hostPair
- hostPort
- hostReputation
- hostSslCertificate
- hostTracker
- intelligenceProfile
- intelligenceProfileIndicator
- ipAddress
- passiveDnsRecord
- sslCertificate
- sslCertificateEntity
- subdomain
- vulnerability
- vulnerabilityComponent
- whoisContact
- whoisHistoryRecord
- whoisRecord
Graph reference: article
| Property | Type | Description |
|---|---|---|
| body | microsoft.graph.security.formattedContent | Formatted article contents. |
| createdDateTime | DateTimeOffset | The date and time when this article was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| isFeatured | Boolean | Indicates whether this article is currently featured by Microsoft. |
| id | String | The system-generated ID for this article. |
| imageUrl | String | URL of the header image for this article, used for display purposes. |
| lastUpdatedDateTime | DateTimeOffset | The most recent date and time when this article was updated. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| summary | microsoft.graph.security.formattedContent | A quick summary of this article. |
| tags | String collection | Tags for this article, communicating keywords, or key concepts. |
| title | String | The title of this **a |
Graph reference: articleIndicator
| Property | Type | Description |
|---|---|---|
| id | String | The system-generated ID for the articleIndicator. Inherited from microsoft.graph.security.indicator. |
| source | microsoft.graph.security.indicatorSource | Communicates where this **a |
Graph reference: auditLogQuery
| Property | Type | Description |
|---|---|---|
| administrativeUnitIdFilters | String collection | The administrative units tagged to an audit log record. |
| displayName | String | The display name of the saved audit log query. |
| filterEndDateTime | DateTimeOffset | The end date of the date range in the query. |
| filterStartDateTime | DateTimeOffset | The start date of the date range in the query. |
| id | String | Unique identifier for the audit log query. Inherited from microsoft.graph.entity. |
| ipAddressFilters | String collection | The IP address of the device that was used when the activity was logged. |
| keywordFilter | String | Free text field to search non-indexed properties of the audit log. |
| objectIdFilters | String collection | For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. |
| operationFilters | String collection | The name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center. |
| recordTypeFilters | microsoft.graph.security.auditLogRecordType collection | The type of operation indicated by the record. The possible values are: exchangeAdmin, exchangeItem, exchangeItemGroup, sharePoint, syntheticProbe, sharePointFileOperation, oneDrive, azureActiveDirectory, azureActiveDirectoryAccountLogon, dataCenterSecurityCmdlet, complianceDLPSharePoint, sway, complianceDLPExchange, sharePointSharingOperation, azureActiveDirectoryStsLogon, skypeForBusinessPSTNUsage, skypeForBusinessUsersBlocked, securityComplianceCenterEOPCmdlet, exchangeAggregatedOperation, powerBIAudit, crm, yammer, skypeForBusinessCmdlets, discovery, microsoftTeams, threatIntelligence, mailSubmission, microsoftFlow, aeD, microsoftStream, complianceDLPSharePointClassification, threatFinder, project, sharePointListOperation, sharePointCommentOperation, dataGovernance, kaizala, securityComplianceAlerts, threatIntelligenceUrl, securityComplianceInsights, mipLabel, workplaceAnalytics, powerAppsApp, powerAppsPlan, threatIntelligenceAtpContent, labelContentExplorer, teamsHealthcare, exchangeItemAggregated, hygieneEvent, dataInsightsRestApiAudit, informationBarrierPolicyApplication, sharePointListItemOperation, sharePointContentTypeOperation, sharePointFieldOperation, microsoftTeamsAdmin, hrSignal, microsoftTeamsDevice, microsoftTeamsAnalytics, informationWorkerProtection, campaign, dlpEndpoint, airInvestigation, quarantine, microsoftForms, applicationAudit, complianceSupervisionExchange, customerKeyServiceEncryption, officeNative, mipAutoLabelSharePointItem, mipAutoLabelSharePointPolicyLocation, microsoftTeamsShifts, secureScore, mipAutoLabelExchangeItem, cortanaBriefing, search, wdatpAlerts, powerPlatformAdminDlp, powerPlatformAdminEnvironment, mdatpAudit, sensitivityLabelPolicyMatch, sensitivityLabelAction, sensitivityLabeledFileAction, attackSim, airManualInvestigation, securityComplianceRBAC, userTraining, airAdminActionInvestigation, mstic, physicalBadgingSignal, teamsEasyApprovals, aipDiscover, aipSensitivityLabelAction, aipProtectionAction, aipFileDeleted, aipHeartBeat, mcasAlerts, onPremisesFileShareScannerDlp, onPremisesSharePointScannerDlp, exchangeSearch, sharePointSearch, privacyDataMinimization, labelAnalyticsAggregate, myAnalyticsSettings, securityComplianceUserChange, complianceDLPExchangeClassification, complianceDLPEndpoint, mipExactDataMatch, msdeResponseActions, msdeGeneralSettings, msdeIndicatorsSettings, ms365DCustomDetection, msdeRolesSettings, mapgAlerts, mapgPolicy, mapgRemediation, privacyRemediationAction, privacyDigestEmail, mipAutoLabelSimulationProgress, mipAutoLabelSimulationCompletion, mipAutoLabelProgressFeedback, dlpSensitiveInformationType, mipAutoLabelSimulationStatistics, largeContentMetadata, microsoft365Group, cdpMlInferencingResult, filteringMailMetadata, cdpClassificationMailItem, cdpClassificationDocument, officeScriptsRunAction, filteringPostMailDeliveryAction, cdpUnifiedFeedback, tenantAllowBlockList, consumptionResource, healthcareSignal, dlpImportResult, cdpCompliancePolicyExecution, multiStageDisposition, privacyDataMatch, filteringDocMetadata, filteringEmailFeatures, powerBIDlp, filteringUrlInfo, filteringAttachmentInfo, coreReportingSettings, complianceConnector, powerPlatformLockboxResourceAccessRequest, powerPlatformLockboxResourceCommand, cdpPredictiveCodingLabel, cdpCompliancePolicyUserFeedback, webpageActivityEndpoint, omePortal, cmImprovementActionChange, filteringUrlClick, mipLabelAnalyticsAuditRecord, filteringEntityEvent, filteringRuleHits, filteringMailSubmission, labelExplorer, microsoftManagedServicePlatform, powerPlatformServiceActivity, scorePlatformGenericAuditRecord, filteringTimeTravelDocMetadata, alert, alertStatus, alertIncident, incidentStatus, case, caseInvestigation, recordsManagement, privacyRemediation, dataShareOperation, cdpDlpSensitive, ehrConnector, filteringMailGradingResult, publicFolder, privacyTenantAuditHistoryRecord, aipScannerDiscoverEvent, eduDataLakeDownloadOperation, m365ComplianceConnector, microsoftGraphDataConnectOperation, microsoftPurview, filteringEmailContentFeatures, powerPagesSite, powerAppsResource, plannerPlan, plannerCopyPlan, plannerTask, plannerRoster, plannerPlanList, plannerTaskList, plannerTenantSettings, projectForTheWebProject, projectForTheWebTask, projectForTheWebRoadmap, projectForTheWebRoadmapItem, projectForTheWebProjectSettings, projectForTheWebRoadmapSettings, quarantineMetadata, microsoftTodoAudit, timeTravelFilteringDocMetadata, teamsQuarantineMetadata, sharePointAppPermissionOperation, microsoftTeamsSensitivityLabelAction, filteringTeamsMetadata, filteringTeamsUrlInfo, filteringTeamsPostDeliveryAction, mdcAssessments, mdcRegulatoryComplianceStandards, mdcRegulatoryComplianceControls, mdcRegulatoryComplianceAssessments, mdcSecurityConnectors, mdaDataSecuritySignal, vivaGoals, filteringRuntimeInfo, attackSimAdmin, microsoftGraphDataConnectConsent, filteringAtpDetonationInfo, privacyPortal, managedTenants, unifiedSimulationMatchedItem, unifiedSimulationSummary, updateQuarantineMetadata, ms365DSuppressionRule, purviewDataMapOperation, filteringUrlPostClickAction, irmUserDefinedDetectionSignal, teamsUpdates, plannerRosterSensitivityLabel, ms365DIncident, filteringDelistingMetadata, complianceDLPSharePointClassificationExtended, microsoftDefenderForIdentityAudit, supervisoryReviewDayXInsight, defenderExpertsforXDRAdmin, cdpEdgeBlockedMessage, hostedRpa, cdpContentExplorerAggregateRecord, cdpHygieneAttachmentInfo, cdpHygieneSummary, cdpPostMailDeliveryAction, cdpEmailFeatures, cdpHygieneUrlInfo, cdpUrlClick, cdpPackageManagerHygieneEvent, filteringDocScan, timeTravelFilteringDocScan, mapgOnboard, unknownFutureValue. |
| serviceFilter | String | Refers to the workload property in the audit record. This is the Microsoft service where the activity occurred. Optional. |
| status | microsoft.graph.security.auditLogQueryStatus | Describes the current status of the query. The possible values are: notStarted, running, succeeded, failed, cancelled, unknownFutureValue. |
| userPrincipalNameFilters | String collection | The UPN (user principal name) of the user who performed the action (specified in the operation property) that resulted in the record being logged; for example, _m |
Graph reference: host
| Property | Type | Description |
|---|---|---|
| firstSeenDateTime | DateTimeOffset | The first date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | Unique identifier for the host. Read-only. Inherited from microsoft.graph.security.artifact. |
| lastSeenDateTime | DateTimeOffset | The most recent date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
Graph reference: hostComponent
| Property | Type | Description |
|---|---|---|
| category | String | The type of component that was detected (for example, Operating System, Framework, Remote Access, or Server). |
| firstSeenDateTime | DateTimeOffset | The first date and time when Microsoft Defender Threat Intelligence observed this web component. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. |
| id | String | A system-generated ID for this hostComponent. Inherited from microsoft.graph.security.artifact. |
| lastSeenDateTime | DateTimeOffset | The most recent date and time when Microsoft Defender Threat Intelligence observed this web component. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. |
| name | String | A name running on the artifact, for example, Microsoft IIS. |
| version | String | The component version running on the artifact, for example, v8.5. This shouldn't be assumed to be strictly numerical. |
Graph reference: hostCookie
| Property | Type | Description |
|---|---|---|
| domain | String | The URI for which the cookie is valid. |
| firstSeenDateTime | DateTimeOffset | The first date and time when this hostCookie was observed by Microsoft Defender Threat Intelligence. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. |
| id | String | A system-generated ID for this hostCookie. Inherited from microsoft.graph.security.artifact. |
| lastSeenDateTime | DateTimeOffset | The most recent date and time when this hostCookie was observed by Microsoft Defender Threat Intelligence. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. |
| name | String | The name of the cookie, for example, JSESSIONID or SEARCH_NAMESITE. |
Graph reference: hostname
| Property | Type | Description |
|---|---|---|
| firstSeenDateTime | DateTimeOffset | The first date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from microsoft.graph.security.host. |
| id | String | Unique identifier for the hostname. Read-only. Inherited from microsoft.graph.security.artifact. |
| lastSeenDateTime | DateTimeOffset | The most recent date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from microsoft.graph.security.host. |
| registrant | String | The company or individual who registered this hostname, from WHOIS data. |
| registrar | String | The registrar for this hostname, from WHOIS data. |
Graph reference: hostPair
| Property | Type | Description |
|---|---|---|
| firstSeenDateTime | DateTimeOffset | The date and time when Microsoft Defender Threat Intelligence first observed the hostPair. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | A system-generated ID for the hostPair. |
| lastSeenDateTime | DateTimeOffset | The date and time when Microsoft Defender Threat Intelligence last observed the hostPair. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| linkKind | String | The reason that two hosts are identified as **h |
Graph reference: hostPort
| Property | Type | Description |
|---|---|---|
| banners | microsoft.graph.security.hostPortBanner collection | The hostPortBanners retrieved from scanning the port. |
| firstSeenDateTime | DateTimeOffset | The first date and time when Microsoft Defender Threat Intelligence observed the hostPort. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. |
| id | String | A system-generated ID for the hostPort. Inherited from entity. |
| lastScanDateTime | DateTimeOffset | The last date and time when Microsoft Defender Threat Intelligence scanned the hostPort. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. |
| lastSeenDateTime | DateTimeOffset | The last date and time when Microsoft Defender Threat Intelligence observed the hostPort. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. |
| port | Int32 | The numerical identifier of the port which is standardized across the internet. |
| protocol | microsoft.graph.security.hostPortProtocol | The general protocol used to scan the port. The possible values are: tcp, udp, unknownFutureValue. |
| services | microsoft.graph.security.hostPortComponent collection | The hostPortComponents retrieved from scanning the port. |
| status | microsoft.graph.security.hostPortStatus | The status of the port. The possible values are: open, filtered, closed, unknownFutureValue. |
| timesObserved | Int32 | The total amount of times that Microsoft Defender Threat Intelligence has observed the **h |
Graph reference: hostReputation
| Property | Type | Description |
|---|---|---|
| classification | microsoft.graph.security.hostReputationClassification | The calculated reputation of the host. The possible values are: unknown, neutral, suspicious, malicious, unknownFutureValue. |
| id | String | A system-generated ID for this hostReputation. |
| rules | microsoft.graph.security.hostReputationRule collection | A collection of rules that have been used to calculate the classification and score. |
| score | Int32 | The calculated score (0-100) of the requested host. A higher value indicates that this host is more likely to be suspicious or malicious. |
Graph reference: hostSslCertificate
| Property | Type | Description |
|---|---|---|
| firstSeenDateTime | DateTimeOffset | The first date and time when this hostSslCertificate was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | The system-generated ID for this hostSslCertificate. Inherited from artifact. |
| lastSeenDateTime | DateTimeOffset | The most recent date and time when this hostSslCertificate was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| ports | microsoft.graph.security.hostSslCertificatePort collection | The ports related with this **h |
Graph reference: hostTracker
| Property | Type | Description |
|---|---|---|
| firstSeenDateTime | DateTimeOffset | The first date and time when this hostTracker was observed by Microsoft Defender Threat Intelligence. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. |
| id | String | A system-generated ID for this hostTracker. Inherited from microsoft.graph.security.artifact. |
| kind | String | The kind of hostTracker that was detected. For example, GoogleAnalyticsID or JarmHash. |
| lastSeenDateTime | DateTimeOffset | The most recent date and time when this hostTracker was observed by Microsoft Defender Threat Intelligence. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is 2014-01-01T00:00:00Z. |
| value | String | The identification value for the **h |
Graph reference: intelligenceProfile
| Property | Type | Description |
|---|---|---|
| aliases | String collection | A list of commonly-known aliases for the threat intelligence included in the intelligenceProfile. |
| countriesOrRegionsOfOrigin | microsoft.graph.security.intelligenceProfileCountryOrRegionOfOrigin collection | The country/region of origin for the given actor or threat associated with this intelligenceProfile. |
| description | microsoft.graph.security.formattedContent | A synopsis of the threat actor. This property places the threat actor in wider context, tracing its discovery, history, significant campaigns, targeting, techniques of note, affiliations with governments, law enforcement countermeasures, and any areas of dispute among the security community regarding attribution. |
| firstActiveDateTime | DateTimeOffset | The date and time when this intelligenceProfile was first active. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | The system generated ID for this intelligenceProfile. |
| kind | microsoft.graph.security.intelligenceProfileKind | A categorization of the type of this intelligenceProfile. The possible values are: actor, tool, unknownFutureValue. |
| summary | microsoft.graph.security.formattedContent | A short summary of this intelligenceProfile. |
| targets | String collection | Known targets related to this intelligenceProfile. |
| title | String | The title of this intelligenceProfile. |
| tradecraft | microsoft.graph.security.formattedContent | Formatted information featuring a description of the distinctive tactics, techniques, and procedures (TTP) of the group, followed by a list of all known custom, commodity, and publicly available implants used by the group. |
Graph reference: intelligenceProfileIndicator
| Property | Type | Description |
|---|---|---|
| firstSeenDateTime | DateTimeOffset | Designate when an artifact was first used actively in an attack, when a particular sample was compiled, or if neither of those could be ascertained when the file was first seen in public repositories (for example, VirusTotal, ANY.RUN, Hybrid Analysis) or reported publicly. |
| id | String | A system generated ID for this intelligenceProfileIndicator. Inherited from microsoft.graph.security.indicator. |
| lastSeenDateTime | DateTimeOffset | Designate when an artifact was most recently used actively in an attack, when a particular sample was compiled, or if neither of those could be ascertained when the file was first seen in public repositories (for example, VirusTotal, ANY.RUN, Hybrid Analysis) or reported publicly. |
| source | microsoft.graph.security.indicatorSource | Communicates the source of this **i |
Graph reference: ipAddress
| Property | Type | Description |
|---|---|---|
| autonomousSystem | microsoft.graph.security.autonomousSystem | The details about the autonomous system to which this IP address belongs. |
| countryOrRegion | String | The country/region for this IP address. |
| firstSeenDateTime | DateTimeOffset | The first date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from microsoft.graph.security.host. |
| hostingProvider | String | The hosting company listed for this host. |
| id | String | The IP Address for this host. Read-only. Inherited from microsoft.graph.security.artifact. |
| lastSeenDateTime | DateTimeOffset | The most recent date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from microsoft.graph.security.host. |
| netblock | String | The block of IP addresses this IP address belongs to. |
Graph reference: passiveDnsRecord
| Property | Type | Description |
|---|---|---|
| collectedDateTime | DateTimeOffset | The date and time that this passiveDnsRecord entry was collected by Microsoft. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| firstSeenDateTime | DateTimeOffset | The date and time when this passiveDnsRecord entry was first seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | The unique identifier for this passiveDnsRecord entry. Inherited from microsoft.graph.security.artifact. |
| lastSeenDateTime | DateTimeOffset | The date and time when this passiveDnsRecord entry was most recently seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| recordType | String | The DNS record type for this **p |
Graph reference: sslCertificate
| Property | Type | Description |
|---|---|---|
| expirationDateTime | DateTimeOffset | The date and time when a certificate expires. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| fingerprint | String | A hash of the certificate calculated on the data and signature. |
| firstSeenDateTime | DateTimeOffset | The first date and time when this sslCertificate was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | The system-generated ID for this sslCertificate. Inherited from artifact. |
| issueDateTime | DateTimeOffset | The date and time when a certificate was issued. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| issuer | microsoft.graph.security.sslCertificateEntity | The entity that grants this certificate. |
| lastSeenDateTime | DateTimeOffset | The most recent date and time when this sslCertificate was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| serialNumber | String | The serial number associated with an SSL certificate. |
| sha1 | String | A SHA-1 hash of the certificate. Note: This is not the signature. |
| subject | microsoft.graph.security.sslCertificateEntity | The person, site, machine, and so on, this certificate is for. |
Graph reference: sslCertificateEntity
| Property | Type | Description |
|---|---|---|
| address | microsoft.graph.physicalAddress | A physical address of the entity. |
| alternateNames | String collection | Alternate names for this entity that are part of the certificate. |
| commonName | String | A common name for this entity. |
| String | An email for this entity. | |
| givenName | String | If the entity is a person, this is the person's given name (first name). |
| organizationName | String | If the entity is an organization, this is the name of the organization. |
| organizationUnitName | String | If the entity is an organization, this communicates if a unit in the organization is named on the entity. |
| serialNumber | String | A serial number assigned to the entity; usually only available if the entity is the issuer. |
| surname | String | If the entity is a person, this is the person's surname (last name). |
Graph reference: subdomain
| Property | Type | Description |
|---|---|---|
| firstSeenDateTime | DateTimeOffset | The date and time when Microsoft Defender Threat Intelligence first observed the subdomain. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. |
| id | String | A system-generated ID for the subdomain. |
Graph reference: vulnerability
| Property | Type | Description |
|---|---|---|
| activeExploitsObserved | Boolean | Indicates whether this vulnerability has any known exploits associated to known bad actors. |
| createdDateTime | DateTimeOffset | The date and time when this vulnerability article was first created. |
| cvss2Summary | microsoft.graph.security.cvssSummary | A summary of the common vulnerability scoring system (v2) findings about this vulnerability. |
| cvss3Summary | microsoft.graph.security.cvssSummary | A summary of the common vulnerability scoring system (v3) findings about this vulnerability. |
| commonWeaknessEnumerationIds | String collection | Community-defined common weakness enumerations (CWE). |
| description | microsoft.graph.security.formattedContent | The vulnerability article contents, describing the vulnerability. |
| exploits | microsoft.graph.security.hyperlink collection | Known exploits for this vulnerability. |
| exploitsAvailable | Boolean | Indicates whether this vulnerability has exploits in public sources (such as Packetstorm or Exploit-DB) online. |
| hasChatter | Boolean | Indicates whether chatter about this vulnerability has been discovered online. |
| id | String | A system-generated ID for the vulnerability. |
| lastModifiedDateTime | DateTimeOffset | The date and time when this vulnerability article was most recently updated. |
| priorityScore | Int32 | A unique algorithm that reflects the priority of a vulnerability based on the CVSS score, exploits, chatter, and linkage to malware. This property also evaluates the recency of these components so users can understand which vulnerability should be remediated first. |
| publishedDateTime | DateTimeOffset | The date and time when this vulnerability article was published. |
| references | microsoft.graph.security.hyperlink collection | Reference links where further information can be learned about this vulnerability. |
| remediation | microsoft.graph.security.formattedContent | Any known remediation steps. |
| severity | microsoft.graph.security.vulnerabilitySeverity | Indicates the severity of this vulnerability. The possible values are: none, low, medium, high, critical, unknownFutureValue. |
Graph reference: vulnerabilityComponent
| Property | Type | Description |
|---|---|---|
| id | String | The system-generated ID for this vulnerability component. |
| name | String | The name of this vulnerability component. |
Graph reference: whoisContact
| Property | Type | Description |
|---|---|---|
| address | microsoft.graph.physicalAddress | The physical address of the entity. |
| String | The email of this WHOIS contact. | |
| fax | String | The fax of this WHOIS contact. No format is guaranteed. |
| name | String | The name of this WHOIS contact. |
| organization | String | The organization of this WHOIS contact. |
| telephone | String | The telephone of this WHOIS contact. No format is guaranteed. |
Graph reference: whoisHistoryRecord
| Property | Type | Description |
|---|---|---|
| abuse | microsoft.graph.security.whoisContact | The contact information for the abuse contact. Inherited from whoisBaseRecord. |
| admin | microsoft.graph.security.whoisContact | The contact information for the admin contact. Inherited from whoisBaseRecord. |
| billing | microsoft.graph.security.whoisContact | The contact information for the billing contact. Inherited from whoisBaseRecord. |
| domainStatus | String | The domain status for this WHOIS object. Inherited from whoisBaseRecord. |
| expirationDateTime | DateTimeOffset | The date and time when this WHOIS record expires with the registrar. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| firstSeenDateTime | DateTimeOffset | The first seen date and time of this WHOIS record. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| id | String | The ID for this WHOIS record object. Inherited from whoisBaseRecord. |
| lastSeenDateTime | DateTimeOffset | The last seen date and time of this WHOIS record. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| lastUpdateDateTime | DateTimeOffset | The date and time when this WHOIS record was last modified. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| nameservers | microsoft.graph.security.whoisNameserver collection | The nameservers for this WHOIS object. Inherited from whoisBaseRecord. |
| noc | microsoft.graph.security.whoisContact | The contact information for the noc contact. Inherited from whoisBaseRecord. |
| rawWhoisText | String | The raw WHOIS details for this WHOIS object. Inherited from whoisBaseRecord. |
| registrant | microsoft.graph.security.whoisContact | The contact information for the registrant contact. Inherited from whoisBaseRecord. |
| registrar | microsoft.graph.security.whoisContact | The contact information for the registrar contact. Inherited from whoisBaseRecord. |
| registrationDateTime | DateTimeOffset | The date and time when this WHOIS record was registered with a registrar. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| technical | microsoft.graph.security.whoisContact | The contact information for the technical contact. Inherited from whoisBaseRecord. |
| whoisServer | String | The WHOIS server that provides the details. Inherited from whoisBaseRecord. |
| zone | microsoft.graph.security.whoisContact | The contact information for the **z |
Graph reference: whoisRecord
| Property | Type | Description |
|---|---|---|
| abuse | microsoft.graph.security.whoisContact | The contact information for the abuse contact. Inherited from whoisBaseRecord. |
| admin | microsoft.graph.security.whoisContact | The contact information for the admin contact. Inherited from whoisBaseRecord. |
| billing | microsoft.graph.security.whoisContact | The contact information for the billing contact. Inherited from whoisBaseRecord. |
| domainStatus | String | The domain status for this WHOIS object. Inherited from whoisBaseRecord. |
| expirationDateTime | DateTimeOffset | The date and time when this WHOIS record expires with the registrar. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| firstSeenDateTime | DateTimeOffset | The first seen date and time of this WHOIS record. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| id | String | The ID for this WHOIS record object. Inherited from whoisBaseRecord. |
| lastSeenDateTime | DateTimeOffset | The last seen date and time of this WHOIS record. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| lastUpdateDateTime | DateTimeOffset | The date and time when this WHOIS record was last modified. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| nameservers | microsoft.graph.security.whoisNameserver collection | The nameservers for this WHOIS object. Inherited from whoisBaseRecord. |
| noc | microsoft.graph.security.whoisContact | The contact information for the noc contact. Inherited from whoisBaseRecord. |
| rawWhoisText | String | The raw WHOIS details for this WHOIS object. Inherited from whoisBaseRecord. |
| registrant | microsoft.graph.security.whoisContact | The contact information for the registrant contact. Inherited from whoisBaseRecord. |
| registrar | microsoft.graph.security.whoisContact | The contact information for the registrar contact. Inherited from whoisBaseRecord. |
| registrationDateTime | DateTimeOffset | The date and time when this WHOIS record was registered with a registrar. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is 2014-01-01T00:00:00Z. Inherited from whoisBaseRecord. |
| technical | microsoft.graph.security.whoisContact | The contact information for the technical contact. Inherited from whoisBaseRecord. |
| whoisServer | String | The WHOIS server that provides the details. Inherited from whoisBaseRecord. |
| zone | microsoft.graph.security.whoisContact | The contact information for the **z |