Forum Discussion

sirkillnotalot's avatar
sirkillnotalot
Copper Contributor
May 25, 2022

Updating existing ThreatIndicator

Hi all,   Has anyone had any success with updating an existing ThreatIndicator via REST? https://docs.microsoft.com/en-us/rest/api/securityinsights/stable/threat-intelligence-indicator/create   ...
apis
automation
siem
threat intelligence
GaryBushey's avatar
GaryBushey
Bronze Contributor
May 25, 2022
Unless you are using the wrong parameters for sub, workspace and/or resource group, it looks correct. You should be using the "name" value as the ID.
sirkillnotalot's avatar
sirkillnotalot
Copper Contributor
May 25, 2022

GaryBushey 

I wish that was the case!

 

I store the baseUri, sub, rg, and workspace as an Environment variable in Postman and the requests have a pre-request script run that concats these and populates the {{apiEndpoint}} variable:

 

let baseUri = pm.environment.get("baseUri");
let subscriptionId = pm.environment.get("subscriptionId") ;
let resourceGroupName = pm.environment.get("resourceGroupName");
let workspaceName = pm.environment.get("workspaceName");
uri = baseUri+"/subscriptions/"+subscriptionId+"/resourceGroups/"+resourceGroupName+"/providers/Microsoft.OperationalInsights/workspaces/"+workspaceName+"/providers/Microsoft.SecurityInsights";
pm.environment.set("apiEndpoint", uri);

 

So the {{apiEndpoint}} that was used for the POST request to create the indicator is the same as the one being used to PUT the update, as well as in other calls to Sentinel.

 

To sanity check it though I can confirm that it's being populated as:

https://management.azure.com/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.OperationalInsights/workspaces/[redacted]/providers/Microsoft.SecurityInsights

 

So in the example the request really should just be a

PUT request to {{apiEndpoint}}/threatIntelligence/main/indicators/3a2525cd-35f5-48e7-fbb7-e3df8f6a6a95?api-version=2021-10-01 with my request.body

 

Sentinel allows indicators to use values/patterns it already knows about, and there's lots of overlap between various OSINT feeds, so I was hoping to create my own input validation using something like

the externalId or externalRef bound to the UUID in MISP or whatever to prevent duplication and just update/refresh existing.

 

Thinking a workaround for this is to just POST to /queryIndicators?api-version=2021-10-01-preview with keyword then delete and re-create the matching IOC as use case here is to prevent duplicates from systems like MISP, whereby a modified attribute in MISP would update the timestamp so an interval based restSearch on timestamp would pick up a pre-ingested IOC.

 

More than open to suggestions if there's a better method though.