![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 23%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
1,567 questions
Hi ,
Thanks for reaching out to Microsoft Q&A.
You are correct in identifying that the Microsoft Graph Threat Intelligence API for Whois does not yet fully support the depth of filtering/searching you'd expect, especially by email across Whois history records. Let's break this down clearly:
What Works
This endpoint:
GET /security/threatIntelligence/whoisRecords?$search="{value}"
- It does support searching by email or domain in current Whois records.
- Returns up to 25 results by default (pagination supported via
@odata.nextLink).
What Doesn’t Work (Till now)
This endpoint:
GET /security/threatIntelligence/whoisRecords/{id}/history
- Only works per record, meaning you must already have the
idof a Whois record to retrieve history. - No
$searchor filtering across multiple history records. - So you can't do something like
?$filter=email eq 'test@example.com'across all history.
Why You See 14 Results in API vs 34 in UI?
The Microsoft 365 Defender UI aggregates:
- WhoisRecords
- WhoisRecord History
- Possibly passive DNS / additional enrichment data.
The API in contrast:
- Only returns what’s directly exposed.
- So, if you search by email in the API, you're getting only current records.
- The history is siloed per record not globally searchable.
Workaround
To simulate the UI behavior:
- Call
GET /security/threatIntelligence/whoisRecords?$search="******@email.com". - Loop through each returned Whois record:
- For each one, call
GET /security/threatIntelligence/whoisRecords/{id}/history.
- For each one, call
- Aggregate all results manually.
Note:
There is currently no API endpoint to:
Search all Whois history globally by email.
Do deep entity correlation like the UI.
On the downside, this can be slow, especially if you’re dealing with a large dataset.
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)