SOLVED

Microsoft Graph Security API - Issue with https://graph.microsoft.com/beta/security/tiIndicators

%3CLINGO-SUB%20id%3D%22lingo-sub-1075411%22%20slang%3D%22en-US%22%3EMicrosoft%20Graph%20Security%20API%20-%20Issue%20with%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%3C%2FA%3E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1075411%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20use%20Microsoft%20graph%20API%20threat%20Indicators%20API%20based%20on%20Azure%20sentinel%20recommended%20way%20of%20integrating%20threat%20intelligence%20sources%20for%20IOC%20ingestion%20to%20Sentinel%20Instance.%20I%20perform%20the%20following%20steps%20in%20linux%20curl%20to%20test%20the%20functionality%20%3A%3C%2FP%3E%3CUL%3E%3CLI%3EGet%20the%20OAuth%20token%20from%20Microsoft%20using%20%3A%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3CPRE%3Ecurl%20-X%20POST%20-d%20'grant_type%3Dclient_credentials%26amp%3Bclient_id%3D%5BmyClientId%5D%26amp%3Bclient_secret%3D%5BmyAppSecret%5D%26amp%3Bscope%3Dopenid%20profile%20ThreatIndicators.ReadWrite.OwnedBy'%20https%3A%2F%2Flogin.microsoftonline.com%2F%5BmyTenantId%5D%2Foauth2%2Ftoken%3C%2FPRE%3E%3CUL%3E%3CLI%3EUsing%20the%20received%20bearer%20token%20calling%20the%20following%20API%3A%26nbsp%3Bcurl%20-X%20GET%20-H%20%22Authorization%3A%20Bearer%20%5Baccess%20token%5D%22%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%3C%2FA%3E%3C%2FLI%3E%3CLI%3EI%20am%20receiving%20below%20mentioned%20error%3A%26nbsp%3B%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%7B%3CBR%20%2F%3E%26nbsp%3B%20%22error%22%3A%20%7B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%22code%22%3A%20%22InvalidAuthenticationToken%22%2C%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%22message%22%3A%20%22Access%20token%20validation%20failure.%20Invalid%20audience.%22%2C%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%22innerError%22%3A%20%7B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%22request-id%22%3A%20%22%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%22%2C%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%22date%22%3A%20%222019-12-19T07%3A41%3A51%22%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%7D%3CBR%20%2F%3E%26nbsp%3B%20%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnybody%20has%20Idea%20how%20to%20use%20this%20%3F%20Main%20motive%20is%20to%20use%20graph%20API%20POST%20query%20to%20insert%20threat%20indicators%20in%20Azure%20Sentinel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1075411%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EGraph%20API%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1079891%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Graph%20Security%20API%20-%20Issue%20with%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%3C%2FA%3E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1079891%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F118392%22%20target%3D%22_blank%22%3E%40Jason%20Wescott%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F19686%22%20target%3D%22_blank%22%3E%40Matt%20Egen%3C%2FA%3E%26nbsp%3B%3A%20care%20to%20have%20a%20look%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1080836%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Graph%20Security%20API%20-%20Issue%20with%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%3C%2FA%3E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1080836%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Ofer%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewe%20received%20the%20answer%20in%20stack%20overflow%20channel.%20FYI%20please%20refer%20to%20below%20link%20for%20solution%3A%3C%2FP%3E%3CP%3E%3CA%20title%3D%22Microsoft%20Graph%20API%22%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fa%2F59419650%2F8664718%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fstackoverflow.com%2Fa%2F59419650%2F8664718%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1080963%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Graph%20Security%20API%20-%20Issue%20with%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fbeta%2Fsecurity%2FtiIndicators%3C%2FA%3E%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1080963%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20update%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F494450%22%20target%3D%22_blank%22%3E%40Deepanshu_Marwah%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi All

I am trying to use Microsoft graph API threat Indicators API based on Azure sentinel recommended way of integrating threat intelligence sources for IOC ingestion to Sentinel Instance. I perform the following steps in linux curl to test the functionality :

  • Get the OAuth token from Microsoft using : 
curl -X POST -d 'grant_type=client_credentials&client_id=[myClientId]&client_secret=[myAppSecret]&scope=openid profile ThreatIndicators.ReadWrite.OwnedBy' https://login.microsoftonline.com/[myTenantId]/oauth2/token

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure. Invalid audience.",
    "innerError": {
      "request-id": "########################",
      "date": "2019-12-19T07:41:51"
    }
  }

 

Anybody has Idea how to use this ? Main motive is to use graph API POST query to insert threat indicators in Azure Sentinel

3 Replies
Best Response confirmed by Ofer_Shezaf (Microsoft)
Solution

@Ofer_Shezaf 

Hi Ofer 

 

we received the answer in stack overflow channel. FYI please refer to below link for solution:

https://stackoverflow.com/a/59419650/8664718