Forum Discussion

mattt-75cs's avatar
mattt-75cs
Copper Contributor
Feb 21, 2024

Microsoft Sentinel Threat Intel API - IOC Syntax

I am having some trouble with the threat intel API and the syntax for the indicator object. I have even tried copying examples from various forums and google searches, but nothing has worked yet.

 

Right now, I am trying the minimal amount of settings I possible can:

 

tiBody = {
"kind": "indicator",
"properties": {
"name": "File hash for malware variant",
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type" : "stix",
}
}

 

But i always get this error:

 

{'error': {'code': 'BadRequest',
'message': "STIX Object of type 'indicator' must provide a value for the required property 'pattern_type'"}}

 

Clearly, I have pattern_type in the body and I have tried variations such as "stix", "file", "file:hashes", etc..

 

Any suggestions? 

 

Python Notebook:

requests.post(tiURL,json=tiBody,headers=headers2)

 

headers2= {
"Content-Type":"application/json",
"Authorization": bearer
}

tiURL = f'https://management.azure.com/subscriptions/{subscription}/resourceGroups/{resourceGroup}/providers/Microsoft.OperationalInsights/workspaces/{workspace}/providers/Microsoft.SecurityInsights/threatIntelligence/main/createIndicator?api-version=2023-11-01'

 

Any help is appreciated. 

 

Thanks,

Matt

No RepliesBe the first to reply

Share

Resources