Forum Discussion
Microsoft Sentinel Threat Intel API - IOC Syntax
I am having some trouble with the threat intel API and the syntax for the indicator object. I have even tried copying examples from various forums and google searches, but nothing has worked yet.
Right now, I am trying the minimal amount of settings I possible can:
tiBody = {
"kind": "indicator",
"properties": {
"name": "File hash for malware variant",
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type" : "stix",
}
}
But i always get this error:
{'error': {'code': 'BadRequest',
'message': "STIX Object of type 'indicator' must provide a value for the required property 'pattern_type'"}}
Clearly, I have pattern_type in the body and I have tried variations such as "stix", "file", "file:hashes", etc..
Any suggestions?
Python Notebook:
requests.post(tiURL,json=tiBody,headers=headers2)
headers2= {
"Content-Type":"application/json",
"Authorization": bearer
}
Any help is appreciated.
Thanks,
Matt