Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Microsoft Sentinel Threat Intel API - IOC Syntax

Copper Contributor

I am having some trouble with the threat intel API and the syntax for the indicator object. I have even tried copying examples from various forums and google searches, but nothing has worked yet.

 

Right now, I am trying the minimal amount of settings I possible can:

 

tiBody = {
"kind": "indicator",
"properties": {
"name": "File hash for malware variant",
"pattern": "[file:hashes.MD5 = 'd41d8cd98f00b204e9800998ecf8427e']",
"pattern_type" : "stix",
}
}

 

But i always get this error:

 

{'error': {'code': 'BadRequest',
'message': "STIX Object of type 'indicator' must provide a value for the required property 'pattern_type'"}}

 

Clearly, I have pattern_type in the body and I have tried variations such as "stix", "file", "file:hashes", etc..

 

Any suggestions? 

 

Python Notebook:

requests.post(tiURL,json=tiBody,headers=headers2)

 

headers2= {
"Content-Type":"application/json",
"Authorization": bearer
}

tiURL = f'https://management.azure.com/subscriptions/{subscription}/resourceGroups/{resourceGroup}/providers/M...'

 

Any help is appreciated. 

 

Thanks,

Matt

0 Replies