ThreatIntelligence.Read.All

Allows the app to read threat intelligence information, such as indicators, observations, and articles, on behalf of the signed-in user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the ThreatIntelligence.Read.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	e0b77adb-e790-44a3-b0a0-257d06303687	f266d9c0-ccb9-4fb8-a228-01ac0d8d6627
DisplayText	Read all Threat Intelligence Information	Read all threat intelligence information
Description	Allows the app to read threat intelligence information, such as indicators, observations, and and articles, without a signed in user.	Allows the app to read threat intelligence information, such as indicators, observations, and articles, on behalf of the signed-in user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /security/threatIntelligence/articleIndicators/{articleIndicatorId}
	GET /security/threatIntelligence/articles
	GET /security/threatIntelligence/articles/{articleId}
	GET /security/threatIntelligence/articles/{articleId}/indicators
	GET /security/threatIntelligence/hostComponents/{hostComponentId}
	GET /security/threatIntelligence/hostCookies/{hostCookieId}
	GET /security/threatIntelligence/hostPairs/{hostPairId}
	GET /security/threatIntelligence/hostPorts/{hostPortId}
	GET /security/threatIntelligence/hosts/{hostId}
	GET /security/threatIntelligence/hosts/{hostId}/childHostPairs
	GET /security/threatIntelligence/hosts/{hostId}/components
	GET /security/threatIntelligence/hosts/{hostId}/cookies
	GET /security/threatIntelligence/hosts/{hostId}/hostPairs
	GET /security/threatIntelligence/hosts/{hostId}/parentHostPairs
	GET /security/threatIntelligence/hosts/{hostId}/passiveDns
	GET /security/threatIntelligence/hosts/{hostId}/passiveDnsReverse
	GET /security/threatIntelligence/hosts/{hostId}/ports
	GET /security/threatIntelligence/hosts/{hostId}/reputation
	GET /security/threatIntelligence/hosts/{hostId}/sslCertificates
	GET /security/threatIntelligence/hosts/{hostId}/subdomains
	GET /security/threatIntelligence/hosts/{hostId}/trackers
	GET /security/threatIntelligence/hosts/{hostId}/whois
	GET /security/threatIntelligence/hosts/{hostId}/whois/history
	GET /security/threatIntelligence/hostSslCertificates/{hostSslCertificateId}
	GET /security/threatIntelligence/hostTrackers/{hostTrackerId}
	GET /security/threatIntelligence/intelligenceProfileIndicators/{intelligenceProfileIndicatorId}
	GET /security/threatIntelligence/intelProfiles
	GET /security/threatIntelligence/intelProfiles/{intelligenceProfileId}
	GET /security/threatIntelligence/intelProfiles/{intelligenceProfileId}/indicators
	GET /security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId}
	GET /security/threatIntelligence/sslCertificates?$search="{property_name}:{property_value}"
	GET /security/threatIntelligence/sslCertificates/{sslCertificateId}
	GET /security/threatIntelligence/subdomains/{subdomainId}
	GET /security/threatIntelligence/vulnerabilities/{vulnerabilityId}
	GET /security/threatIntelligence/vulnerabilities/{vulnerabilityId}/components
	GET /security/threatIntelligence/vulnerabilities/{vulnerabilityId}/components/{vulnerabilityComponentId}
	GET /security/threatIntelligence/whoisHistoryRecord/{whoisHistoryRecordId}
	GET /security/threatIntelligence/whoisRecords?$search="{value}"
	GET /security/threatIntelligence/whoisRecords/{id}/history
	GET security/threatIntelligence/sslCertificates/{sslCertificateId}/relatedHosts

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	GET /security/threatIntelligence/articleIndicators/{articleIndicatorId}
	GET /security/threatIntelligence/articles
	GET /security/threatIntelligence/articles/{articleId}
	GET /security/threatIntelligence/articles/{articleId}/indicators
	GET /security/threatIntelligence/hostComponents/{hostComponentId}
	GET /security/threatIntelligence/hostCookies/{hostCookieId}
	GET /security/threatIntelligence/hostPairs/{hostPairId}
	GET /security/threatIntelligence/hostPorts/{hostPortId}
	GET /security/threatIntelligence/hosts/{hostId}
	GET /security/threatIntelligence/hosts/{hostId}/childHostPairs
	GET /security/threatIntelligence/hosts/{hostId}/components
	GET /security/threatIntelligence/hosts/{hostId}/cookies
	GET /security/threatIntelligence/hosts/{hostId}/hostPairs
	GET /security/threatIntelligence/hosts/{hostId}/parentHostPairs
	GET /security/threatIntelligence/hosts/{hostId}/passiveDns
	GET /security/threatIntelligence/hosts/{hostId}/passiveDnsReverse
	GET /security/threatIntelligence/hosts/{hostId}/ports
	GET /security/threatIntelligence/hosts/{hostId}/reputation
	GET /security/threatIntelligence/hosts/{hostId}/sslCertificates
	GET /security/threatIntelligence/hosts/{hostId}/subdomains
	GET /security/threatIntelligence/hosts/{hostId}/trackers
	GET /security/threatIntelligence/hosts/{hostId}/whois
	GET /security/threatIntelligence/hosts/{hostId}/whois/history
	GET /security/threatIntelligence/hostSslCertificates/{hostSslCertificateId}
	GET /security/threatIntelligence/hostTrackers/{hostTrackerId}
	GET /security/threatIntelligence/intelligenceProfileIndicators/{intelligenceProfileIndicatorId}
	GET /security/threatIntelligence/intelProfiles
	GET /security/threatIntelligence/intelProfiles/{intelligenceProfileId}
	GET /security/threatIntelligence/intelProfiles/{intelligenceProfileId}/indicators
	GET /security/threatIntelligence/passiveDnsRecords/{passiveDnsRecordId}
	GET /security/threatIntelligence/sslCertificates
	GET /security/threatIntelligence/sslCertificates/{sslCertificateId}
	GET /security/threatIntelligence/subdomains/{subdomainId}
	GET /security/threatIntelligence/vulnerabilities/{vulnerabilityId}
	GET /security/threatIntelligence/vulnerabilities/{vulnerabilityId}/components
	GET /security/threatIntelligence/vulnerabilities/{vulnerabilityId}/components/{vulnerabilityComponentId}
	GET /security/threatIntelligence/whoisHistoryRecord/{whoisHistoryRecordId}
	GET /security/threatIntelligence/whoisRecords?$search="{value}"
	GET /security/threatIntelligence/whoisRecords/{id}/history
	GET security/threatIntelligence/sslCertificates/{sslCertificateId}/relatedHosts

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgSecurityThreatIntelligenceArticle
	Get-MgSecurityThreatIntelligenceArticleIndicator
	Get-MgSecurityThreatIntelligenceHost
	Get-MgSecurityThreatIntelligenceHostChildHostPair
	Get-MgSecurityThreatIntelligenceHostComponent
	Get-MgSecurityThreatIntelligenceHostCookie
	Get-MgSecurityThreatIntelligenceHostPair
	Get-MgSecurityThreatIntelligenceHostParentHostPair
	Get-MgSecurityThreatIntelligenceHostPassiveDns
	Get-MgSecurityThreatIntelligenceHostPassiveDnsReverse
	Get-MgSecurityThreatIntelligenceHostPort
	Get-MgSecurityThreatIntelligenceHostReputation
	Get-MgSecurityThreatIntelligenceHostSslCertificate
	Get-MgSecurityThreatIntelligenceHostSubdomain
	Get-MgSecurityThreatIntelligenceHostTracker
	Get-MgSecurityThreatIntelligenceIntelProfile
	Get-MgSecurityThreatIntelligenceIntelProfileIndicator
	Get-MgSecurityThreatIntelligencePassiveDnsRecord
	Get-MgSecurityThreatIntelligenceProfileIndicator
	Get-MgSecurityThreatIntelligenceSslCertificate
	Get-MgSecurityThreatIntelligenceSslCertificateRelatedHost
	Get-MgSecurityThreatIntelligenceSubdomain
	Get-MgSecurityThreatIntelligenceVulnerability
	Get-MgSecurityThreatIntelligenceVulnerabilityComponent
	Get-MgSecurityThreatIntelligenceWhoisRecord
	Get-MgSecurityThreatIntelligenceWhoisRecordHistory

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaSecurityThreatIntelligenceArticle
	Get-MgBetaSecurityThreatIntelligenceArticleIndicator
	Get-MgBetaSecurityThreatIntelligenceHost
	Get-MgBetaSecurityThreatIntelligenceHostChildHostPair
	Get-MgBetaSecurityThreatIntelligenceHostComponent
	Get-MgBetaSecurityThreatIntelligenceHostCookie
	Get-MgBetaSecurityThreatIntelligenceHostPair
	Get-MgBetaSecurityThreatIntelligenceHostParentHostPair
	Get-MgBetaSecurityThreatIntelligenceHostPassiveDns
	Get-MgBetaSecurityThreatIntelligenceHostPassiveDnsReverse
	Get-MgBetaSecurityThreatIntelligenceHostPort
	Get-MgBetaSecurityThreatIntelligenceHostReputation
	Get-MgBetaSecurityThreatIntelligenceHostSslCertificate
	Get-MgBetaSecurityThreatIntelligenceHostSubdomain
	Get-MgBetaSecurityThreatIntelligenceHostTracker
	Get-MgBetaSecurityThreatIntelligenceIntelProfile
	Get-MgBetaSecurityThreatIntelligenceIntelProfileIndicator
	Get-MgBetaSecurityThreatIntelligencePassiveDnsRecord
	Get-MgBetaSecurityThreatIntelligenceProfileIndicator
	Get-MgBetaSecurityThreatIntelligenceSslCertificate
	Get-MgBetaSecurityThreatIntelligenceSslCertificateRelatedHost
	Get-MgBetaSecurityThreatIntelligenceSubdomain
	Get-MgBetaSecurityThreatIntelligenceVulnerability
	Get-MgBetaSecurityThreatIntelligenceVulnerabilityComponent
	Get-MgBetaSecurityThreatIntelligenceWhoisRecord
	Get-MgBetaSecurityThreatIntelligenceWhoisRecordHistory

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: article

Property	Type	Description
body	microsoft.graph.security.formattedContent	Formatted article contents.
createdDateTime	DateTimeOffset	The date and time when this article was created. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
isFeatured	Boolean	Indicates whether this article is currently featured by Microsoft.
id	String	The system-generated ID for this article.
imageUrl	String	URL of the header image for this article, used for display purposes.
lastUpdatedDateTime	DateTimeOffset	The most recent date and time when this article was updated. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
summary	microsoft.graph.security.formattedContent	A quick summary of this article.
tags	String collection	Tags for this article, communicating keywords, or key concepts.
title	String	The title of this **a

Graph reference: articleIndicator

Property	Type	Description
id	String	The system-generated ID for the articleIndicator. Inherited from microsoft.graph.security.indicator.
source	microsoft.graph.security.indicatorSource	Communicates where this **a

Graph reference: host

Property	Type	Description
firstSeenDateTime	DateTimeOffset	The first date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
id	String	Unique identifier for the host. Read-only. Inherited from microsoft.graph.security.artifact.
lastSeenDateTime	DateTimeOffset	The most recent date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.

Graph reference: hostComponent

Property	Type	Description
category	String	The type of component that was detected (for example, `Operating System`, `Framework`, `Remote Access`, or `Server`).
firstSeenDateTime	DateTimeOffset	The first date and time when Microsoft Defender Threat Intelligence observed this web component. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is `2014-01-01T00:00:00Z`.
id	String	A system-generated ID for this hostComponent. Inherited from microsoft.graph.security.artifact.
lastSeenDateTime	DateTimeOffset	The most recent date and time when Microsoft Defender Threat Intelligence observed this web component. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is `2014-01-01T00:00:00Z`.
name	String	A name running on the artifact, for example, `Microsoft IIS`.
version	String	The component version running on the artifact, for example, `v8.5`. This shouldn't be assumed to be strictly numerical.

Graph reference: hostCookie

Property	Type	Description
domain	String	The URI for which the cookie is valid.
firstSeenDateTime	DateTimeOffset	The first date and time when this hostCookie was observed by Microsoft Defender Threat Intelligence. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is `2014-01-01T00:00:00Z`.
id	String	A system-generated ID for this hostCookie. Inherited from microsoft.graph.security.artifact.
lastSeenDateTime	DateTimeOffset	The most recent date and time when this hostCookie was observed by Microsoft Defender Threat Intelligence. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is `2014-01-01T00:00:00Z`.
name	String	The name of the cookie, for example, `JSESSIONID` or `SEARCH_NAMESITE`.

Graph reference: hostname

Property	Type	Description
firstSeenDateTime	DateTimeOffset	The first date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from microsoft.graph.security.host.
id	String	Unique identifier for the hostname. Read-only. Inherited from microsoft.graph.security.artifact.
lastSeenDateTime	DateTimeOffset	The most recent date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from microsoft.graph.security.host.
registrant	String	The company or individual who registered this hostname, from WHOIS data.
registrar	String	The registrar for this hostname, from WHOIS data.

Graph reference: hostPair

Property	Type	Description
firstSeenDateTime	DateTimeOffset	The date and time when Microsoft Defender Threat Intelligence first observed the hostPair. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
id	String	A system-generated ID for the hostPair.
lastSeenDateTime	DateTimeOffset	The date and time when Microsoft Defender Threat Intelligence last observed the hostPair. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
linkKind	String	The reason that two hosts are identified as **h

Graph reference: hostPort

Property	Type	Description
banners	microsoft.graph.security.hostPortBanner collection	The hostPortBanners retrieved from scanning the port.
firstSeenDateTime	DateTimeOffset	The first date and time when Microsoft Defender Threat Intelligence observed the hostPort. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is `2014-01-01T00:00:00Z`.
id	String	A system-generated ID for the hostPort. Inherited from entity.
lastScanDateTime	DateTimeOffset	The last date and time when Microsoft Defender Threat Intelligence scanned the hostPort. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is `2014-01-01T00:00:00Z`.
lastSeenDateTime	DateTimeOffset	The last date and time when Microsoft Defender Threat Intelligence observed the hostPort. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is `2014-01-01T00:00:00Z`.
port	Int32	The numerical identifier of the port which is standardized across the internet.
protocol	microsoft.graph.security.hostPortProtocol	The general protocol used to scan the port. The possible values are: `tcp`, `udp`, `unknownFutureValue`.
services	microsoft.graph.security.hostPortComponent collection	The hostPortComponents retrieved from scanning the port.
status	microsoft.graph.security.hostPortStatus	The status of the port. The possible values are: `open`, `filtered`, `closed`, `unknownFutureValue`.
timesObserved	Int32	The total amount of times that Microsoft Defender Threat Intelligence has observed the **h

Graph reference: hostReputation

Property	Type	Description
classification	microsoft.graph.security.hostReputationClassification	The calculated reputation of the host. The possible values are: `unknown`, `neutral`, `suspicious`, `malicious`, `unknownFutureValue`.
id	String	A system-generated ID for this hostReputation.
rules	microsoft.graph.security.hostReputationRule collection	A collection of rules that have been used to calculate the classification and score.
score	Int32	The calculated score (0-100) of the requested host. A higher value indicates that this host is more likely to be suspicious or malicious.

Graph reference: hostSslCertificate

Property	Type	Description
firstSeenDateTime	DateTimeOffset	The first date and time when this hostSslCertificate was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
id	String	The system-generated ID for this hostSslCertificate. Inherited from artifact.
lastSeenDateTime	DateTimeOffset	The most recent date and time when this hostSslCertificate was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
ports	microsoft.graph.security.hostSslCertificatePort collection	The ports related with this **h

Graph reference: hostTracker

Property	Type	Description
firstSeenDateTime	DateTimeOffset	The first date and time when this hostTracker was observed by Microsoft Defender Threat Intelligence. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is `2014-01-01T00:00:00Z`.
id	String	A system-generated ID for this hostTracker. Inherited from microsoft.graph.security.artifact.
kind	String	The kind of hostTracker that was detected. For example, `GoogleAnalyticsID` or `JarmHash`.
lastSeenDateTime	DateTimeOffset	The most recent date and time when this hostTracker was observed by Microsoft Defender Threat Intelligence. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014, is `2014-01-01T00:00:00Z`.
value	String	The identification value for the **h

Graph reference: intelligenceProfile

Property	Type	Description
aliases	String collection	A list of commonly-known aliases for the threat intelligence included in the intelligenceProfile.
countriesOrRegionsOfOrigin	microsoft.graph.security.intelligenceProfileCountryOrRegionOfOrigin collection	The country/region of origin for the given actor or threat associated with this intelligenceProfile.
description	microsoft.graph.security.formattedContent	A synopsis of the threat actor. This property places the threat actor in wider context, tracing its discovery, history, significant campaigns, targeting, techniques of note, affiliations with governments, law enforcement countermeasures, and any areas of dispute among the security community regarding attribution.
firstActiveDateTime	DateTimeOffset	The date and time when this intelligenceProfile was first active. The timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
id	String	The system generated ID for this intelligenceProfile.
kind	microsoft.graph.security.intelligenceProfileKind	A categorization of the type of this intelligenceProfile. The possible values are: `actor`, `tool`, `unknownFutureValue`.
summary	microsoft.graph.security.formattedContent	A short summary of this intelligenceProfile.
targets	String collection	Known targets related to this intelligenceProfile.
title	String	The title of this intelligenceProfile.
tradecraft	microsoft.graph.security.formattedContent	Formatted information featuring a description of the distinctive tactics, techniques, and procedures (TTP) of the group, followed by a list of all known custom, commodity, and publicly available implants used by the group.

Graph reference: intelligenceProfileIndicator

Property	Type	Description
firstSeenDateTime	DateTimeOffset	Designate when an artifact was first used actively in an attack, when a particular sample was compiled, or if neither of those could be ascertained when the file was first seen in public repositories (for example, VirusTotal, ANY.RUN, Hybrid Analysis) or reported publicly.
id	String	A system generated ID for this intelligenceProfileIndicator. Inherited from microsoft.graph.security.indicator.
lastSeenDateTime	DateTimeOffset	Designate when an artifact was most recently used actively in an attack, when a particular sample was compiled, or if neither of those could be ascertained when the file was first seen in public repositories (for example, VirusTotal, ANY.RUN, Hybrid Analysis) or reported publicly.
source	microsoft.graph.security.indicatorSource	Communicates the source of this **i

Graph reference: ipAddress

Property	Type	Description
autonomousSystem	microsoft.graph.security.autonomousSystem	The details about the autonomous system to which this IP address belongs.
countryOrRegion	String	The country/region for this IP address.
firstSeenDateTime	DateTimeOffset	The first date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from microsoft.graph.security.host.
hostingProvider	String	The hosting company listed for this host.
id	String	The IP Address for this host. Read-only. Inherited from microsoft.graph.security.artifact.
lastSeenDateTime	DateTimeOffset	The most recent date and time when this host was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from microsoft.graph.security.host.
netblock	String	The block of IP addresses this IP address belongs to.

Graph reference: passiveDnsRecord

Property	Type	Description
collectedDateTime	DateTimeOffset	The date and time that this passiveDnsRecord entry was collected by Microsoft. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
firstSeenDateTime	DateTimeOffset	The date and time when this passiveDnsRecord entry was first seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
id	String	The unique identifier for this passiveDnsRecord entry. Inherited from microsoft.graph.security.artifact.
lastSeenDateTime	DateTimeOffset	The date and time when this passiveDnsRecord entry was most recently seen. The Timestamp type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
recordType	String	The DNS record type for this **p

Graph reference: sslCertificate

Property	Type	Description
expirationDateTime	DateTimeOffset	The date and time when a certificate expires. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
fingerprint	String	A hash of the certificate calculated on the data and signature.
firstSeenDateTime	DateTimeOffset	The first date and time when this sslCertificate was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
id	String	The system-generated ID for this sslCertificate. Inherited from artifact.
issueDateTime	DateTimeOffset	The date and time when a certificate was issued. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
issuer	microsoft.graph.security.sslCertificateEntity	The entity that grants this certificate.
lastSeenDateTime	DateTimeOffset	The most recent date and time when this sslCertificate was observed. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
serialNumber	String	The serial number associated with an SSL certificate.
sha1	String	A SHA-1 hash of the certificate. Note: This is not the signature.
subject	microsoft.graph.security.sslCertificateEntity	The person, site, machine, and so on, this certificate is for.

Graph reference: sslCertificateEntity

Property	Type	Description
address	microsoft.graph.physicalAddress	A physical address of the entity.
alternateNames	String collection	Alternate names for this entity that are part of the certificate.
commonName	String	A common name for this entity.
email	String	An email for this entity.
givenName	String	If the entity is a person, this is the person's given name (first name).
organizationName	String	If the entity is an organization, this is the name of the organization.
organizationUnitName	String	If the entity is an organization, this communicates if a unit in the organization is named on the entity.
serialNumber	String	A serial number assigned to the entity; usually only available if the entity is the issuer.
surname	String	If the entity is a person, this is the person's surname (last name).

Graph reference: subdomain

Property	Type	Description
firstSeenDateTime	DateTimeOffset	The date and time when Microsoft Defender Threat Intelligence first observed the subdomain. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`.
id	String	A system-generated ID for the subdomain.

Graph reference: vulnerability

Property	Type	Description
activeExploitsObserved	Boolean	Indicates whether this vulnerability has any known exploits associated to known bad actors.
createdDateTime	DateTimeOffset	The date and time when this vulnerability article was first created.
cvss2Summary	microsoft.graph.security.cvssSummary	A summary of the common vulnerability scoring system (v2) findings about this vulnerability.
cvss3Summary	microsoft.graph.security.cvssSummary	A summary of the common vulnerability scoring system (v3) findings about this vulnerability.
commonWeaknessEnumerationIds	String collection	Community-defined common weakness enumerations (CWE).
description	microsoft.graph.security.formattedContent	The vulnerability article contents, describing the vulnerability.
exploits	microsoft.graph.security.hyperlink collection	Known exploits for this vulnerability.
exploitsAvailable	Boolean	Indicates whether this vulnerability has exploits in public sources (such as Packetstorm or Exploit-DB) online.
hasChatter	Boolean	Indicates whether chatter about this vulnerability has been discovered online.
id	String	A system-generated ID for the vulnerability.
lastModifiedDateTime	DateTimeOffset	The date and time when this vulnerability article was most recently updated.
priorityScore	Int32	A unique algorithm that reflects the priority of a vulnerability based on the CVSS score, exploits, chatter, and linkage to malware. This property also evaluates the recency of these components so users can understand which vulnerability should be remediated first.
publishedDateTime	DateTimeOffset	The date and time when this vulnerability article was published.
references	microsoft.graph.security.hyperlink collection	Reference links where further information can be learned about this vulnerability.
remediation	microsoft.graph.security.formattedContent	Any known remediation steps.
severity	microsoft.graph.security.vulnerabilitySeverity	Indicates the severity of this vulnerability. The possible values are: `none`, `low`, `medium`, `high`, `critical`, `unknownFutureValue`.

Graph reference: vulnerabilityComponent

Property	Type	Description
id	String	The system-generated ID for this vulnerability component.
name	String	The name of this vulnerability component.

Graph reference: whoisContact

Property	Type	Description
address	microsoft.graph.physicalAddress	The physical address of the entity.
email	String	The email of this WHOIS contact.
fax	String	The fax of this WHOIS contact. No format is guaranteed.
name	String	The name of this WHOIS contact.
organization	String	The organization of this WHOIS contact.
telephone	String	The telephone of this WHOIS contact. No format is guaranteed.

Graph reference: whoisHistoryRecord

Property	Type	Description
abuse	microsoft.graph.security.whoisContact	The contact information for the abuse contact. Inherited from whoisBaseRecord.
admin	microsoft.graph.security.whoisContact	The contact information for the admin contact. Inherited from whoisBaseRecord.
billing	microsoft.graph.security.whoisContact	The contact information for the billing contact. Inherited from whoisBaseRecord.
domainStatus	String	The domain status for this WHOIS object. Inherited from whoisBaseRecord.
expirationDateTime	DateTimeOffset	The date and time when this WHOIS record expires with the registrar. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
firstSeenDateTime	DateTimeOffset	The first seen date and time of this WHOIS record. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
id	String	The ID for this WHOIS record object. Inherited from whoisBaseRecord.
lastSeenDateTime	DateTimeOffset	The last seen date and time of this WHOIS record. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
lastUpdateDateTime	DateTimeOffset	The date and time when this WHOIS record was last modified. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
nameservers	microsoft.graph.security.whoisNameserver collection	The nameservers for this WHOIS object. Inherited from whoisBaseRecord.
noc	microsoft.graph.security.whoisContact	The contact information for the noc contact. Inherited from whoisBaseRecord.
rawWhoisText	String	The raw WHOIS details for this WHOIS object. Inherited from whoisBaseRecord.
registrant	microsoft.graph.security.whoisContact	The contact information for the registrant contact. Inherited from whoisBaseRecord.
registrar	microsoft.graph.security.whoisContact	The contact information for the registrar contact. Inherited from whoisBaseRecord.
registrationDateTime	DateTimeOffset	The date and time when this WHOIS record was registered with a registrar. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
technical	microsoft.graph.security.whoisContact	The contact information for the technical contact. Inherited from whoisBaseRecord.
whoisServer	String	The WHOIS server that provides the details. Inherited from whoisBaseRecord.
zone	microsoft.graph.security.whoisContact	The contact information for the **z

Graph reference: whoisRecord

Property	Type	Description
abuse	microsoft.graph.security.whoisContact	The contact information for the abuse contact. Inherited from whoisBaseRecord.
admin	microsoft.graph.security.whoisContact	The contact information for the admin contact. Inherited from whoisBaseRecord.
billing	microsoft.graph.security.whoisContact	The contact information for the billing contact. Inherited from whoisBaseRecord.
domainStatus	String	The domain status for this WHOIS object. Inherited from whoisBaseRecord.
expirationDateTime	DateTimeOffset	The date and time when this WHOIS record expires with the registrar. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
firstSeenDateTime	DateTimeOffset	The first seen date and time of this WHOIS record. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
id	String	The ID for this WHOIS record object. Inherited from whoisBaseRecord.
lastSeenDateTime	DateTimeOffset	The last seen date and time of this WHOIS record. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
lastUpdateDateTime	DateTimeOffset	The date and time when this WHOIS record was last modified. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
nameservers	microsoft.graph.security.whoisNameserver collection	The nameservers for this WHOIS object. Inherited from whoisBaseRecord.
noc	microsoft.graph.security.whoisContact	The contact information for the noc contact. Inherited from whoisBaseRecord.
rawWhoisText	String	The raw WHOIS details for this WHOIS object. Inherited from whoisBaseRecord.
registrant	microsoft.graph.security.whoisContact	The contact information for the registrant contact. Inherited from whoisBaseRecord.
registrar	microsoft.graph.security.whoisContact	The contact information for the registrar contact. Inherited from whoisBaseRecord.
registrationDateTime	DateTimeOffset	The date and time when this WHOIS record was registered with a registrar. The timestamp type represents date and time information using ISO 8601 format and is always in UTC. For example, midnight UTC on Jan 1, 2014 is `2014-01-01T00:00:00Z`. Inherited from whoisBaseRecord.
technical	microsoft.graph.security.whoisContact	The contact information for the technical contact. Inherited from whoisBaseRecord.
whoisServer	String	The WHOIS server that provides the details. Inherited from whoisBaseRecord.
zone	microsoft.graph.security.whoisContact	The contact information for the **z

Table of Contents

ThreatIntelligence.Read.All

Graph Methods

Resources